Description Preview
The official Kong Docker images for Alpine Linux versions prior to 1.0.2-alpine were distributed with a dangerous security misconfiguration. These images were configured with a root user account that had no password set, creating a critical authentication bypass vulnerability. Any remote attacker who could access the container could potentially gain full root privileges simply by logging in without providing any password. This vulnerability represents a severe security risk as it allows complete system compromise of affected Kong containers.
Overview
This vulnerability (CVE-2020-35189) is classified as CWE-306 (Missing Authentication for Critical Function). The issue affects only the Alpine-specific Kong Docker images prior to version 1.0.2-alpine. The vulnerability stems from an improper configuration where the root user account was created with a blank password. In containerized environments, this could allow attackers who gain access to the container to escalate privileges to root without any authentication, effectively bypassing all security controls. Organizations running these vulnerable Kong containers in production environments face significant risk of unauthorized access and potential data breaches.
Remediation
To address this vulnerability, organizations should take the following actions:
- Immediately update Kong Docker images to version 1.0.2-alpine or later.
- Audit all existing Kong container deployments to identify instances running vulnerable versions.
- Replace any running containers based on vulnerable images with updated versions.
- Consider implementing additional container security measures such as:
- Running containers with non-root users
- Implementing proper network segmentation
- Using container security scanning tools
- Setting up proper authentication mechanisms for container access
- Review security logs for any signs of unauthorized access to Kong containers.
References
- Original vulnerability disclosure: https://github.com/koharin/koharin2/blob/main/CVE-2020-35189
- MITRE CVE Entry: CVE-2020-35189
- CWE-306: Missing Authentication for Critical Function
- Kong Docker Official Images: https://hub.docker.com/_/kong
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
