Aqua Blog

Mitigating Container Image Vulnerabilities with Aqua Vulnerability Shield™

Mitigating Container Image Vulnerabilities with Aqua Vulnerability Shield™

Managing known vulnerabilities in container images has been one of the first issues to get the attention of organizations that adopt containers. Knowing what vulnerabilities (CVEs) lurk in your image code is important, but fixing or patching the images that contain vulnerabilities has been a challenge, since it’s not always easy, speedy, or even possible to do so. Aqua Vulnerability Shield (or Aqua vShield for short) is a novel solution to this problem, that doesn’t require you to patch or change code in images.

You Scanned Your Images, You Found Vulnerabilities – Now What?

Ideally, you have the images updated with a fixed version of the vulnerable package as soon as possible, but we don’t live in an ideal world. There may be cases in which the vulnerable package is used in multiple applications, creating dependencies that are difficult to predict. Patching or updating that type of package would require extensive and time-consuming testing. Sometimes a fix is simply not available. The remaining option is to take down running applications that have vulnerable components, but that only happens in rare occasions.

The reality is that organizations often run vulnerable applications, assessing their risk and mitigating it where possible, while trying to prioritize which items should be patched. It’s an endless cycle.

Aqua Vulnerability Shield to the Rescue 

Aqua Vulnerability Shield is a new offering that provides a compensating control for known vulnerabilities detected in container images. It’s a type of runtime security policy or “virtual patching” mechanism that automatically detects, and can prevent, attempts to exploit the vulnerability to which it is applied. It is non-intrusive, in that it does not change the image code, nor require any developer intervention 

Aqua vShield lets security teams know when an exploit attempt was made on the shielded vulnerabilitieand can also block that exploit (more on that further down). It allows organizations to reduce the risk of running with known vulnerabilities and prioritize their patching in a more efficient way. 

vShieldMost organizations find vulnerabilities in images that they build. They report them to the development team and set a grace period defining the time frame by which they should be fixed. Aqua vShield mitigates risks during that time window when the application is exposed. 

Many regulations do not allow you to run with known vulnerabilities of a certain severity, or require you to fix them within a strict time frame. However, many auditors accept compensating controls as a means to protect against the exploitation of vulnerabilitiesUsing Aqua vShield can help satisfy those requirements. 

Depending on the underlying component that the vulnerability impacts and potential attack vector, an Aqua vShield can detect or block access to various resources during runtime, for example a vulnerable network protocol, access to certain files, the use of a vulnerable package, or other capabilities required for an exploit. 

Aqua vShields are automatically generated for newly discovered vulnerabilities and are reviewed and managed by the Aqua security research teamThe team finds new ways to mitigate exploits of vulnerabilities, constantly refining the accuracy of vShieldsWhen an unpatched vulnerability needs to be mitigated quicklythe team can prioritize specific vShield to cover it. 

How an Aqua vShield is Applied

Here is the process in which Aqua vShield can mitigate CVEs;  

1. A new CVE is discovered. 

2. The CVE is identified in a container image component during a scan. 

3. Aqua identifies the appropriate vShield for this specific CVE, which is displayed in the vulnerability scan results. 

1ab

4. Activate vShield by clicking a button.

5. The vulnerable component is monitored in Audit mode for a possible exploit attempt, without enforcement, in order to learn the impact on the runtime environment. 

5a2

6. The vShield will automatically move to Enforce mode once it reaches the required learning time of the potential impact on running containers, assuming there were no issues detected. Once the image is patched, the vShield for the patched vulnerability will be removed automatically. The automated deletion and scheduling tools help optimize the time required to manage vulnerability and increase efficiency in the process. 

In Summary 

Aqua vShield reduces risk from known vulnerabilities by giving security teams the ability to detect and prevent exploit attempts of those vulnerabilities, until their engineering teams can apply a fix and update the vulnerable imageIt also provides a valuable tool to help prioritize and automate the process of applying fixes/patches, providing security teams with more “runway” to fix those vulnerabilities that are covered by Aqua vShield. 

Aqua vShield is part of Aqua CSP v4.2.  

Aqua Team
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.