diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2019-05-09 11:30:52 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-05-09 11:30:52 +0200 |
commit | 643f58c99702ca54d80498fde7df1f19d89cc47a (patch) | |
tree | 7f4cb902be47beb95838cb93fd4797e4259e00bc | |
parent | 4d45a7aa13b270295de192d919ce13ba2d0c8752 (diff) | |
download | alpine-mksite-643f58c99702ca54d80498fde7df1f19d89cc47a.tar.bz2 alpine-mksite-643f58c99702ca54d80498fde7df1f19d89cc47a.tar.xz |
posts: add report on CVE-2019-5021
-rw-r--r-- | posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md b/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md new file mode 100644 index 0000000..a706c55 --- /dev/null +++ b/posts/Docker-Image-root-User-Hard-Coded-Credential-Vulnerability.md @@ -0,0 +1,54 @@ +--- +title: 'Docker Image root User Hard-Coded Credential Vulnerability - CVE-2019-5021' +date: 2019-05-09 +--- + +# Docker Image root User Hard-Coded Credential Vulnerability - CVE-2019-5021 + +[CVE-2019-5021](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021) + +## What is the problem? + +If you have `shadow` package installed in your Docker container and run your +service as non-root an attacker who compromised your system via unrelated +security vulnerabillity, or a user with shell access, could elevate the +privileges to root within the container. + +## Who is affected? + +The issue only affects Docker images. If you used the Alpine linux installer, +`setup-alpine`, you are not affected. + +You are not affected unless you have `shadow` or `linux-pam` packages +installed. + +The issue was +[fixed](https://git.alpinelinux.org/aports/commit/?id=7a2566ec8260ceacae81088ebe2ffe6526c3809e) +in the following [Docker image releases]: +- edge (20190228 snapshot) +- v3.9.2 +- v3.8.4 +- v3.7.3 +- v3.6.5 + +The following versions are EOL and still vulnerable: +- v3.5 +- v3.4 +- v3.3 + +## How can I fix it? + +Make sure that you use one of the supported releases and update your image. + +If you use any of older, unsupported releases, then you can fix it by adding +this line to your Dockerfile: +<code> +# make sure root login is disabled +RUN sed -i -e 's/^root::/root:!:/' /etc/shadow +</code> + +Alternatively you could make sure that you don't have `linux-pam` installed. + +## What happened? + + |