Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-5021 #13

Closed
tao12345666333 opened this issue May 9, 2019 · 3 comments

Comments

@tao12345666333
Copy link

commented May 9, 2019

Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the root user.

ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021

@tianon

This comment has been minimized.

Copy link

commented May 9, 2019

There's some relevant discussion over in gliderlabs/docker-alpine#511 and docker-library/official-images#5880

TLDR; no currently supported Alpine images are affected (all affected images are EOL), the attack vector is very narrow to begin with, and there are a couple other images we're looking to fix (and updating our test to catch this more aggressively).

@yosifkit

This comment has been minimized.

@ncopa

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

The issue was fixed March 7 2019 with docker-library/official-images#5516

@ncopa ncopa closed this May 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.