CVE-2019-5021
First published: Wed May 08 2019(Updated: )
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.
Credit: talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gliderlabs Docker-alpine | >=3.3 | |
| Alpinelinux Alpine Linux | ||
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =15.1 | |
| F5 Big-ip Controller | =1.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.html
- http://www.securityfocus.com/bid/108288
- https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html
- https://security.netapp.com/advisory/ntap-20190510-0001/
- https://support.f5.com/csp/article/K25551452
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782
Frequently Asked Questions
What is CVE-2019-5021?
CVE-2019-5021 is a vulnerability that affects versions of the Official Alpine Linux Docker images since v3.3, where the root user has a NULL password.
What is the severity of CVE-2019-5021?
CVE-2019-5021 has a severity rating of 9.8, which is considered critical.
How does CVE-2019-5021 affect Gliderlabs Docker-alpine?
Gliderlabs Docker-alpine versions since v3.3 are affected by CVE-2019-5021 where the root user has a NULL password.
How can I fix CVE-2019-5021?
To fix CVE-2019-5021, you should update your Alpine Linux Docker images to a version that has addressed the NULL password vulnerability.
Are openSUSE Leap 15.0 and 15.1 affected by CVE-2019-5021?
No, openSUSE Leap 15.0 and 15.1 are not affected by CVE-2019-5021.
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/event
- agent/type
- agent/weakness
- agent/description
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/gliderlabs
- canonical/gliderlabs docker-alpine
- version/gliderlabs docker-alpine/3.3
- vendor/alpinelinux
- canonical/alpinelinux alpine linux
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/15.1
- vendor/f5
- canonical/f5 big-ip controller
- version/f5 big-ip controller/1.2.1