Nearly one in five of the most popular containers available on the Docker store have no password for root access. That's the finding of researcher Jerry Gamblin, building on work by researchers at Cisco Talos. The result could easily be hundreds of thousands of containers deployed with no functional password at all.
The finding is important because containers, most frequently with Docker as the container manager, are becoming popular for deploying virtualized applications (as opposed to completed virtualized servers deployed with products like VMware or Microsoft Hyper-V). As Docker puts it, "A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries, and settings."
In order to save time, developers will often put a container image into a repository for reuse, or they'll look at a public repository, like GitHub or the Docker Store, to find containers built by others that they can download and use. If those publicly available containers have vulnerabilities, they can quickly spread across the Internet.
According to the original Cisco Talos report, the vulnerability began with "null" passwords for the root user in Docker images for Alpine Linux, a lightweight, container-specific Linux distribution very popular in container development.
The vulnerability, now designated CVE-2019-5021, was first discovered in 2015 and patched — but then eight days later someone replaced a patched file with another fil ..
Support the originator by clicking the read the rest link below.
