CVE-2019-5021
published 2019-05-08CVE-2019-5021: Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.26%
92.7th percentile
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| f5 | big-ip_controller | — | — |
| gliderlabs | docker-alpine | >= 3.3 | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| paloalto | cortex_xsoar | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Check /etc/shadow for a NULL (empty) password field for the root user — a line beginning with 'root::' indicates the vulnerable condition ↗
- →Grep /etc/shadow for the pattern '^root::' to confirm the NULL root password is present in the container image ↗
- →Scope detection to Official Alpine Linux Docker images version 3.3 through 3.9 (inclusive); images outside this range are not affected ↗
- →Use the Tenable 'Unpassworded root Account' plugin (Default Unix Accounts family) to flag exploitable hosts with blank root passwords without requiring plugin updates ↗
- ·The vulnerability was introduced by a regression in December 2015 when a prior fix (patched in November 2015) was accidentally removed eight days later; affected images span Alpine Linux Docker versions 3.3 through 3.9 ↗
- ·Cortex XSOAR (Demisto) conducted a scan of all Docker images in its Docker Hub repository and concluded none of its Alpine-based images are affected; the docker exec command is not exposed to external attackers in that product ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m3hq-qcc9-75f6: Versions of the Official Alpine Linux Docker images (since v3
ghsa_unreviewed·2022-05-24
CVE-2019-5021 [CRITICAL] CWE-798 GHSA-m3hq-qcc9-75f6: Versions of the Official Alpine Linux Docker images (since v3
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.
Palo Alto
PAN-SA-2020-0010 Informational: Cortex XSOAR: Impact of Linux and Docker vulnerabilities on Cortex XSOAR
vendor_paloalto·2020-10-14·CVSS 9.8
CVE-2019-5736 [CRITICAL] CWE-216 PAN-SA-2020-0010 Informational: Cortex XSOAR: Impact of Linux and Docker vulnerabilities on Cortex XSOAR
PAN-SA-2020-0010 Informational: Cortex XSOAR: Impact of Linux and Docker vulnerabilities on Cortex XSOAR
Cortex XSOAR provides analysts with the option to specify the Docker image to use for running custom scripts and integrations. An analyst who has write permission to scripts or integrations is able to exploit Docker vulnerabilities such as CVE-2019-5736, or Linux kernel vulnerability such as CVE-2020-14386 to obtain root access on the Cortex XSOAR server. Demisto Server does not use the docker exec command and does not expose a mechanism for an external attacker to manipulate or provide an attacker-controlled image for execution. Thus, CVE-2019-5736 does not increase exposure to an external attack. CVE-2019-5021 is a vulnerability in Alpine Linux Docker images where the root password m
No detection rules found.
No public exploits indexed.
Qualys
Alpine Docker Image Vulnerability (CVE-2019-5021): How to Detect and Fix | Qualys
blogs_qualys·2019-06-11·CVSS 9.8
CVE-2019-5021 [CRITICAL] Alpine Docker Image Vulnerability (CVE-2019-5021): How to Detect and Fix | Qualys
#### Table of Contents
- Remediation
- Detecting CVE-2019-5021 (QID 371776)
- Detecting CVE-2019-5021 QID 371776 in your CI/CD Pipeline
- Detecting CVE-2019-5021 QID 371776 on your Docker Host
- Resources
A vulnerability affecting the official Alpine Docker images version >=3.3 contains a null password for the root user. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root user.
## Remediation
If you are using an older, unsupported releases, then you can fix it by adding this line to your Docker file:
```
# CVE-2019-5021 disable root login
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Qualys
Alpine Docker Image Vulnerability (CVE-2019-5021): How to Detect and Fix
blogs_qualys·2019-06-11·CVSS 9.8
CVE-2019-5021 [CRITICAL] Alpine Docker Image Vulnerability (CVE-2019-5021): How to Detect and Fix
## Table of Contents
Remediation
Detecting CVE-2019-5021 (QID 371776)
Detecting CVE-2019-5021 QID 371776 in your CI/CD Pipeline
Detecting CVE-2019-5021 QID 371776 on your Docker Host
Resources
A vulnerability affecting the official Alpine Docker images version >=3.3 contains a null password for the root user. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root user.
## Remediation
If you are using an older, unsupported releases, then you can fix it by adding this line to your Docker file:
# CVE-2019-5021 disable root login
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
You can al
Tenable
CVE-2019-5021: Hard-Coded NULL root Password Found in Alpine Linux Docker Images
blogs_tenable·2019-05-09·CVSS 9.8
[CRITICAL] CVE-2019-5021: Hard-Coded NULL root Password Found in Alpine Linux Docker Images
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.htmlhttp://www.securityfocus.com/bid/108288https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.htmlhttps://security.netapp.com/advisory/ntap-20190510-0001/https://support.f5.com/csp/article/K25551452https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00004.htmlhttp://www.securityfocus.com/bid/108288https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.htmlhttps://security.netapp.com/advisory/ntap-20190510-0001/https://support.f5.com/csp/article/K25551452https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782
2019-05-08
Published