Developer organizations heavily depend on various tools to support communication, collaboration, and productivity. As a result, there is a growing trend among many companies to embrace application packaging tools like Docker and Kubernetes.

Both companies and developers increasingly prefer Docker containers because they can package applications, configurations, and libraries and distribute them in a unified manner without the need for individual PCs or servers. This allows for streamlined deployment and installation processes.

The 2021 Stack Overflow survey below reveals how many businesses use Docker.

Source: Stack Overflow

However, if Docker containers are not adequately managed, they can pose various vulnerabilities, including code execution, directory traversal, and privilege acquisition. These vulnerabilities can result in severe damage and consequences.

From 2014 to the present, a total of 34 Docker vulnerabilities have been identified. Among these vulnerabilities, 9 have scored above 7, indicating their severity. This includes high-risk vulnerabilities like double privilege acquisition and code execution.

Source: CVE Details

The CVE-2019-5736 vulnerability is particularly concerning as it exploits the runC bug to gain root privileges on the host system, allowing access to container servers and other containers. Therefore, it is strongly advised to promptly apply patches to affected versions to mitigate this vulnerability.

Docker CE 18.06.2, 18.09.2 Previous Version, Docker EE 17.06.2-ee-19 Previous Version, 18.03.1-ee-6, 18.09.2

After searching for all IP addresses worldwide, it has been confirmed that 27,796 IPs are being utilized for running Docker. These IPs are primarily located in China, followed by the United States and South Korea.

IP addresses running Docker

After searching for the vulnerable “Docker 17.06.2” version among all the 27,796 IP addresses, a total of 1,694 IP addresses were confirmed. Even though it was a vulnerability reported in 2019, there are a considerable number of IPs that still operate on vulnerable Docker versions, as evidenced by statistics.

IP addresses running vulnerable versions of Docker

For a more detailed analysis, look at an IP address marked as “Inbound: Critical” according to the IP scoring. This IP address runs Docker on port number 1024 and exhibits 6 vulnerabilities and 1 entry in the exploit database, indicating a significantly vulnerable state.

IP marked as Inbound: Critical

Among the identified vulnerabilities, CVE-2019-5736 stands out as a highly risky one. As mentioned earlier, this vulnerability exploits the runC bug to gain root privileges on the host and access container servers and other containers. Therefore, it is crucial to take immediate security patch measures to address this critical vulnerability.

CVE-2019-5736 Vulnerability Identified in IP Address

Docker versions with identified vulnerabilities should be immediately updated to the latest version. As follow-up measures, you must secure the safety of the development environment by taking protective measures such as hardening Docker configuration and host OS security, managing Docker file image privilege, and separating privilege for each Docker Swarm node.


This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]