Bug in Alpine Linux Docker Image Leaves Root Account Unlocked
A security vulnerability in the Official Docker images based on the Alpine Linux distribution allowed for more than three years logging into the root account using a blank password.
Tracked as CVE-2019-5021, the vulnerability has a critical severity score of 9.8. It was initially reported in build 3.2 of Alpine Linux Docker image and patched in November 2015, with regression tests added to prevent it from occurring in the future. However, a new commit was pushed later that year to simplify the regression tests.
A subsequent commit removed the "disable root by default" flag from the 'edge' build properties file, allowing the bug to regress in the next builds of the image, starting v3.3 to 3.9. The vulnerability was fixed and closed on March 8, 2019, but it could have been solved sooner as it was rediscovered and reported on Agust 5. It slipped through because it was not flagged as a security problem.
To mitigate the issue on systems that still run vulnerable builds of the Alpine Linux container, Cisco Talos recommends disabling the root account.