CVE-2019-5021: Alpine Linux Docker Image Security Vulnerability Alert

Alpine Linux distributions have long been known for being lightweight and secure, but recently Cisco security researchers have found a security vulnerability in Alpine Linux’s Docker image that allows them to log in to the root account with a blank password. The Alpine Linux Docker image is a very small image that is only 5MB in size, much smaller than other Linux distributions, and has been downloaded more than 10 million in Docker Hub.

The vulnerability is numbered CVE-2019-5021 and has a severity score of 9.8. “This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.”

Affected version

• v3.5
• v3.4
• v3.3

Unaffected version

• edge (20190228 snapshot)
• v3.9.2
• v3.8.4
• v3.7.3
• v3.6.5

Solution

Make sure that you use one of the supported releases and update your image.

If you use any of older, unsupported releases, then you can fix it by adding this line to your Dockerfile:

    # make sure root login is disabled
    RUN sed -i -e 's/^root::/root:!:/' /etc/shadow

Alternatively you could make sure that you don’t have linux-pam installed.