Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday May 22 2019, @05:49PM   Printer-friendly
from the never-trust-someone-else dept.

19.4 percent of the Docker store's top 1000 containers have no root password, potentially exposing users' systems to attacks under certain conditions.

Last week, a similar flaw was found impacting the official Alpine Linux Docker image, when Talos researchers discovered that all images since v3.3 were shipping with a root account with a null password. The vulnerability meant attackers who infiltrated systems via another entry point, or users with shell (remote) access, could elevate their privileges to root within the container.

Over the weekend, security expert Jerry Gamblin built a script that checked the top 1000 docker containers from the Docker store to determine if they were impacted by the same misconfiguration.

After tweaking the script to correct for duplicates, Gamblin found that 194 of the 1000 containers he analysed had blank passwords, including images from the UK government, HashiCorp, Microsoft, Monsanto and Mesosphere.

Sources:

[Editors Comment: The submitter is employed by the first source. Alternative sources have been found for this story to verify its content.]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.