CVE-2019-5021 — CRITICAL (9.8)

Vulnerability Description

Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gliderlabs	Docker-Alpine	>= 3.3
Alpinelinux	Alpine Linux	-
Opensuse	Leap	15.0
F5	Big-Ip Controller	1.2.1

Related Weaknesses (CWE)

CWE-258

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.htmlMailing ListThird Party Advisory
http://www.securityfocus.com/bid/108288Broken Link
https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.htmlVendor Advisory
https://security.netapp.com/advisory/ntap-20190510-0001/Third Party Advisory
https://support.f5.com/csp/article/K25551452Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782ExploitMitigationPatch
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.htmlMailing ListThird Party Advisory
http://www.securityfocus.com/bid/108288Broken Link
https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.htmlVendor Advisory
https://security.netapp.com/advisory/ntap-20190510-0001/Third Party Advisory
https://support.f5.com/csp/article/K25551452Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782ExploitMitigationPatch

FAQ

What is CVE-2019-5021?

CVE-2019-5021 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015...

How severe is CVE-2019-5021?

CVE-2019-5021 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-5021?

Check the references section above for vendor advisories and patch information. Affected products include: Gliderlabs Docker-Alpine, Alpinelinux Alpine Linux, Opensuse Leap, F5 Big-Ip Controller.