| Description: | Summary:
The remote host has set no password for the 'root' account.
Vulnerability Insight:
It was possible to login via SSH with the 'root' username and
without passing a password.
Vulnerability Impact:
This issue may be exploited by a remote attacker to gain access
to sensitive information or modify system configuration.
Affected Software/OS:
The following official docker images are known to be affected:
- Alpine Linux since version 3.3
- haproxy before version 1.8.18-alpine
- rabbitmq before version 3.7.13-beta.1-management-alpine
- memcached before version 1.5.11-alpine
- influxdb before version 1.7.3-meta-alpine
- vault before version 0.11.6
- drupal before version 8.5.10-fpm-alpine
- plone before version of 4.3.18-alpine
- kong before version 1.0.2-alpine
- chronograf before version 1.7.7-alpine
- telegraf before version 1.9.4-alpine
- ghost before version 2.16.1-alpine
- adminer before version 4.7.0-fastcgi
- composer before version 1.8.3
- sonarqube
- irssi before version 1.1-alpine
- notary before version signer-0.6.1-1
- spiped before version 1.5-alpine
- Express Gateway before version 1.14.0
- storm before version 1.2.1
- piwik
- znc before version 1.7.1-slim
- elixir before version 1.8.0-alpine
- eggdrop before version 1.8.4rc2
- Consul versions 0.7.1 through 1.4.2
- Crux Linux versions 3.0 through 3.4
- Software AG Terracotta Server OSS version 5.4.1
- Appbase streams version 2.1.2
- Docker Docs versions through 2020-12-14
- Blackfire versions through 2020-12-14
- FullArmor HAPI File Share Mount versions through 2020-12-14
- Weave Cloud Agent version 1.3.0
- Instana Dynamic APM version 1.0.0
- CoScale agent version 3.16.0
- registry versions through 2.7.0
- kapacitor versions through 1.5.0-alpine
In addition the following devices are / software is known to be affected as well:
CVE-2018-0035: Juniper Junos OS QFX5200 and QFX10002 devices
Other products / devices / images might be affected as well.
Solution:
- Set a password for the 'root' account
- For the Alpine Linux Docker image update to one of the following image releases:
edge (20190228 snapshot), v3.9.2, v3.8.4, v3.7.3, v3.6.5
- For other products / devices / images either see the 'affected' tag for fixed releases or
contact the vendor for more information
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
