CVE-2019-5021: Bug in Official Docker Images Based on Alpine Linux
NEWS

CVE-2019-5021: Bug in Official Docker Images Based on Alpine Linux

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

CVE-2019-5021 is a vulnerability in the Official Docker images based on the Alpine Linux distro. The flaw has been there for at least three years, allowing logging into the root account via a blank password.




The bug was initially discovered and patched in 2015 in in build 3.2 of Alpine Linux Docker image, when regression tests were included to prevent future exploits. However, a new commit was pushed later the same year meant to simplify regression tests, and here’s where things went wrong.

What is CVE-2019-5021 all about?

According to the official description, versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. The flaw is most likely a result of a regression introduced in December of 2015.

Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user, the official advisory says.

Related:
A new affects the Linux operating system, it is known as the Linux Mutagen Astronomy vulnerability and assigned the CVE-2018-14634 advisory
CVE-2018-14634: Linux Mutagen Astronomy Vulnerability Affects RHEL and Cent OS Distros.

The problem was rediscovered by Peter Adkins of Cisco Umbrella earlier this year. The issue should not be overlooked as the official Alpine Linux Docker image has over 10 million downloads.

What is the mitigation?

The root account should be explicitly disabled in Docker images built using affected versions as a base, says Cisco Talos. A successful exploit of the vulnerability is dependent on the environment and requires the exposed service to utilize Linux RAM or another mechanism that uses the system shadow file as an authentication database.

In addition, supported builds have been updated and are “now only generated from upstream minirootfs tarballs,” as revealed by a commit from Natanael Copa, the creator of Alpine Linux. Release and update scripts have been refactored and moved to the official Alpine Linux image repository on the Docker portal, researchers said.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...