Docker Image Vulnerability (CVE-2019-5021)
What is the problem?
If you have the shadow package installed in your Docker container and run
your service as non-root user, an attacker who compromised your system via an
unrelated security vulnerabillity, or a user with shell access, could elevate
their privileges to root within the container.
Who is affected?
The issue only affects Docker images. If you used the Alpine linux installer,
setup-alpine, you are not affected.
You are not affected unless you have shadow or linux-pam packages
installed.
The issue was fixed in the following Docker image releases (7 March 2019):
- edge (20190228 snapshot)
- v3.9.2
- v3.8.4
- v3.7.3
- v3.6.5
The following versions are EOL and still vulnerable:
- v3.5
- v3.4
- v3.3
How can I fix it?
Make sure that you use one of the supported releases and update your image.
If you use any of older, unsupported releases, then you can fix it by adding this line to your Dockerfile:
# make sure root login is disabled
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Alternatively you could make sure that you don’t have linux-pam installed.
How could this happen?
Alpine uses busybox as core tools. We have tested and made sure that root
logins without password are only allowed from TTYs that are listed as secure in
/etc/securetty. This makes it possible to boot Alpine on a machine and log in
as root without shipping any pregenerated, well known password for Alpine. We
consider a pregenerated, well known password worse than no password at all.
Services like sshd will not allow logins with blank passwords at all.
Unfortunately we missed the case when a user installs shadow and linux-pam
instead of using the default tools.
EDIT: release date of fixed releases was added