Docker Image Vulnerability (CVE-2019-5021)

CVE-2019-5021

What is the problem?

If you have the shadow package installed in your Docker container and run your service as non-root user, an attacker who compromised your system via an unrelated security vulnerabillity, or a user with shell access, could elevate their privileges to root within the container.

Who is affected?

The issue only affects Docker images. If you used the Alpine linux installer, setup-alpine , you are not affected.

You are not affected unless you have shadow or linux-pam packages installed.

The issue was fixed in the following Docker image releases (7 March 2019):

edge (20190228 snapshot)

v3.9.2

v3.8.4

v3.7.3

v3.6.5

The following versions are EOL and still vulnerable:

v3.5

v3.4

v3.3

How can I fix it?

Make sure that you use one of the supported releases and update your image.

If you use any of older, unsupported releases, then you can fix it by adding this line to your Dockerfile:

# make sure root login is disabled RUN sed -i -e 's/^root::/root:!:/' /etc/shadow

Alternatively you could make sure that you don’t have linux-pam installed.

How could this happen?

Alpine uses busybox as core tools. We have tested and made sure that root logins without password are only allowed from TTYs that are listed as secure in /etc/securetty . This makes it possible to boot Alpine on a machine and log in as root without shipping any pregenerated, well known password for Alpine. We consider a pregenerated, well known password worse than no password at all.

Services like sshd will not allow logins with blank passwords at all.

Unfortunately we missed the case when a user installs shadow and linux-pam instead of using the default tools.