Docker Obsolete Tls Protocol Usage
Description
Identifies the use of deprecated and insecure SSL/TLS protocol versions in Docker files when using curl or wget commands. Using outdated SSL/TLS versions (SSLv1-3, TLSv1.0, TLSv1.1) can expose communications to known vulnerabilities and man-in-the-middle attacks.
Detection Strategy
• Scans Dockerfile content for RUN commands that contain curl or wget commands
• For curl commands, detects usage of flags: --tlsv1, --tlsv1.0, --tlsv1.1, --sslv1, --sslv2, or --sslv3
• For wget commands, detects --secure-protocol option with values: TLSv1, TLSv1_1, SSLv1, SSLv2, or SSLv3
• Reports a vulnerability when any of these insecure protocol specifications are found in a RUN instruction
Vulnerable code example
# Dockerfile with insecure TLS configurations
RUN curl --tlsv1.0 -O https://tlsv1-0.example.com/downloads/install.sh # Vulnerable: Uses deprecated TLSv1.0
RUN wget --secure-protocol TLSv1_1 https://example.com/downloads/install.sh # Vulnerable: Uses deprecated TLSv1.1✅ Secure code example
# Dockerfile with secure TLS configurations
RUN curl --tlsv1.3 -O https://tlsv1-3.example.com/downloads/install.sh # Secure: Uses TLSv1.3 (most recent version)
RUN wget --secure-protocol TLSv1_3 https://example.com/downloads/install.sh # Secure: Uses TLSv1.3 protocolSearch for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.