CVE-2019-5021 is a vulnerability in the Official Docker images based on the Alpine Linux distro. The flaw has been there for at least three years, allowing logging into the root account via a blank password.
The bug was initially discovered and patched in 2015 in in build 3.2 of Alpine Linux Docker image, when regression tests were included to prevent future exploits. However, a new commit was pushed later the same year meant to simplify regression tests, and here’s where things went wrong.
What is CVE-2019-5021 all about?
According to the official description, versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. The flaw is most likely a result of a regression introduced in December of 2015.
Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user, the official advisory says.
The problem was rediscovered by Peter Adkins of Cisco Umbrella earlier this year. The issue should not be overlooked as the official Alpine Linux Docker image has over 10 million downloads.
What is the mitigation?
The root account should be explicitly disabled in Docker images built using affected versions as a base, says Cisco Talos. A successful exploit of the vulnerability is dependent on the environment and requires the exposed service to utilize Linux RAM or another mechanism that uses the system shadow file as an authentication database.
In addition, supported builds have been updated and are “now only generated from upstream minirootfs tarballs,” as revealed by a commit from Natanael Copa, the creator of Alpine Linux. Release and update scripts have been refactored and moved to the official Alpine Linux image repository on the Docker portal, researchers said.