A Debian bug reported [1] noted that the default Debian template for LXC (lxc-debian.in) set the root password to 'root' for the newly-created Debian-based container.  In addition, it was also reported [2] that the default sshd_config installed set 'PermitRootLogin yes' which, while normally not a problem to allow root to login with a password, due to the constant and known root password, makes it easy for any user to obtain root privileges in a new container where the password has not been changed.

In the Fedora or CentOS templates that do set a random root password, this is not a problem.  So the second Debian bug is only a security issue when the first issue is present (it is not a security issue in the other templates).

Looking further at the various templates, when a password is not specified, other systems also use predictable defaults:

* openmandriva
* gentoo
* altlinux
* archlinux (if unspecified, no password is set)
* opensuse
* oracle
* plamo
* ubuntu (has a predictable password for user ubuntu, which in turn has sudo access)


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758643
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758647


NOTE: I don't know whether or not this would ever receive a CVE based on these being configurable (so would require in most cases a person to either a) not specify a password or b) not change it post-creation), however the way the Fedora and CentOS templates work (random passwords, stored either in a file or printed to stdout) is a much safer/secure alternative and it would be ideal if these other templates could be changed to do something similar.