Alpine Linux distributions have long been known for being lightweight and secure, but recently Cisco security researchers have found a security vulnerability in Alpine Linux’s Docker image that allows them to log in to the root account with a blank password. The Alpine Linux Docker image is a very small image that is only 5MB in size, much smaller than other Linux distributions, and has been downloaded more than 10 million in Docker Hub.
The vulnerability is numbered CVE-2019-5021 and has a severity score of 9.8. “This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.”
- edge (20190228 snapshot)