Information
https://docs.docker.com/articles/networking/#binding-ports
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Fix the Dockerfile of the container image to expose only needed ports by your containerized application. You can also completely ignore the list of ports defined in the Dockerfile by NOT using '-P' (UPPERCASE) or '--publish-all'flag when starting the container. Use the '-p' (lowercase) or '--publish' flag to explicitly define the ports that you need for a particular container instance.
For example,
docker run --interactive --tty --publish 5000 --publish 5001 --publish 5002 centos /bin/bash
Impact-
None.
Default Value-
By default, all the ports that are listed in the Dockerfile under EXPOSE instruction for an image are opened when container is run with '-P' or '--publish-all' flag.