---
title: 'Docker Image Vulnerability - CVE-2019-5021'
date: 2019-05-09
---

# Docker Image Vulnerability (CVE-2019-5021)

[CVE-2019-5021](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021)

## What is the problem?

If you have the `shadow` package installed in your Docker container and run
your service as non-root user, an attacker who compromised your system via an
unrelated security vulnerabillity, or a user with shell access, could elevate
their privileges to root within the container.

## Who is affected?

The issue only affects Docker images. If you used the Alpine linux installer,
`setup-alpine`, you are not affected.

You are not affected unless you have `shadow` or `linux-pam` packages
installed.

The issue was
[fixed](https://git.alpinelinux.org/aports/commit/?id=7a2566ec8260ceacae81088ebe2ffe6526c3809e)
in the following [Docker image releases](https://github.com/docker-library/official-images/pull/5516)
([7 March 2019](https://github.com/docker-library/official-images/pull/5516#event-2188593676)):

- edge (20190228 snapshot)
- v3.9.2
- v3.8.4
- v3.7.3
- v3.6.5

The following versions are EOL and still vulnerable:

- v3.5
- v3.4
- v3.3

## How can I fix it?

Make sure that you use one of the supported releases and update your image.

If you use any of older, unsupported releases, then you can fix it by adding
this line to your Dockerfile:

<pre>
    # make sure root login is disabled
    RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
</pre>

Alternatively you could make sure that you don't have `linux-pam` installed.

## How could this happen?

Alpine uses `busybox` as core tools. We have tested and made sure that root
logins without password are only allowed from TTYs that are listed as secure in
`/etc/securetty`. This makes it possible to boot Alpine on a machine and log in
as root without shipping any pregenerated, well known password for Alpine. We
consider a pregenerated, well known password worse than no password at all.

Services like `sshd` will not allow logins with blank passwords at all.

Unfortunately we missed the case when a user installs `shadow` and `linux-pam`
instead of using the default tools.


<small>
EDIT: release date of fixed releases was added
</small>