Docker Image Vulnerability (CVE-2019-5021)
What is the problem?
If you have the
shadow package installed in your Docker container and run
your service as non-root user, an attacker who compromised your system via an
unrelated security vulnerabillity, or a user with shell access, could elevate
their privileges to root within the container.
Who is affected?
The issue only affects Docker images. If you used the Alpine linux installer,
setup-alpine, you are not affected.
You are not affected unless you have
The issue was fixed in the following Docker image releases (7 March 2019):
- edge (20190228 snapshot)
The following versions are EOL and still vulnerable:
How can I fix it?
Make sure that you use one of the supported releases and update your image.
If you use any of older, unsupported releases, then you can fix it by adding this line to your Dockerfile:
# make sure root login is disabled RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Alternatively you could make sure that you don’t have
How could this happen?
busybox as core tools. We have tested and made sure that root
logins without password are only allowed from TTYs that are listed as secure in
/etc/securetty. This makes it possible to boot Alpine on a machine and log in
as root without shipping any pregenerated, well known password for Alpine. We
consider a pregenerated, well known password worse than no password at all.
sshd will not allow logins with blank passwords at all.
Unfortunately we missed the case when a user installs
instead of using the default tools.
EDIT: release date of fixed releases was added