Safeguard
Tag

container-security

Safeguard articles tagged "container-security" — guides, analysis, and best practices for software supply chain and application security.

385 articles

Vulnerability Analysis

Kubernetes validating admission webhook bypass (CVE-2021-25735)

CVE-2021-25735 let attackers bypass Kubernetes validating admission webhooks on Node objects via a kube-apiserver flaw. Here's the fix and detection path.

Jan 8, 20267 min read
Container Security

Hardening Oracle Kubernetes Engine (OKE) clusters

A practical, command-by-command guide to OKE security best practices: locking down the API endpoint, network security lists, pod security policies, IAM, and image signing.

Jan 8, 20268 min read
Vulnerability Analysis

containerd CRI plugin mount escape (CVE-2022-23648)

CVE-2022-23648 let crafted pod volume specs bypass containerd's CRI mount isolation to reach arbitrary host files — versions, severity, and fixes.

Jan 8, 20266 min read
Vulnerability Analysis

Linux AF_PACKET privilege escalation (CVE-2020-14386)

CVE-2020-14386 lets a local attacker with CAP_NET_RAW corrupt Linux kernel heap memory via AF_PACKET and escalate privileges. Here's the fix and impact.

Jan 8, 20268 min read
Container Security

Detecting container threats in OCI with Cloud Guard

How OCI Cloud Guard detects container threats in OKE — detector recipes, responder rules, real blind spots, and where Safeguard adds runtime and supply-chain coverage.

Jan 7, 20267 min read
Container Security

Comparing container registry security features across maj...

A practical, no-fluff comparison of ECR vs ACR vs GAR vs OCIR on scanning depth, signing, IAM, and compliance — plus where Harbor fits and how Safeguard unifies them.

Jan 6, 20268 min read
Container Security

How Log4Shell exposed cloud container images and how to d...

Log4Shell (CVE-2021-44228) still hides in container images years later. Here's how it works, its CVSS/EPSS/KEV context, and how to detect and remediate it across ECR, ACR, and GAR.

Jan 6, 20268 min read
Vulnerability Analysis

Docker symlink race condition escape (CVE-2018-15664)

A TOCTOU race in Docker's docker cp symlink resolution let malicious containers write to host files as root. Impact, CVSS, and fixes inside.

Dec 15, 20258 min read
Vulnerability Analysis

Docker Engine crafted image denial of service (CVE-2021-21285)

CVE-2021-21285 lets a crafted container image crash Docker Engine before 20.10.3. Affected versions, severity, timeline, and remediation steps.

Dec 15, 20257 min read
Vulnerability Analysis

Docker Engine remap-root UID mapping vulnerability (CVE-2021-21284)

CVE-2021-21284 let remapped-root containers escalate to real host root, defeating Docker's userns-remap isolation. Here's the full breakdown and fix.

Dec 15, 20256 min read
Vulnerability Analysis

Time-of-check to time-of-use (TOCTOU) race condition vulnerabilities

TOCTOU race conditions let attackers swap a resource between a security check and its use. Real CVEs, exploit mechanics, and prevention patterns explained.

Dec 12, 20257 min read
Vulnerability Analysis

Kubernetes RBAC misconfiguration explained

RBAC misconfigurations like wildcard rules and default service account bindings have powered real cluster takeovers, from CVE-2018-1002105 to Siloscape.

Dec 4, 20256 min read
container-security (Page 20) — Safeguard Blog