Docker Image Vulnerability (CVE-2019-5021)
What is the problem?
If you have shadow package installed in your Docker container and run your
service as non-root an attacker who compromised your system via an unrelated
security vulnerabillity, or a user with shell access, could elevate the
privileges to root within the container.
Who is affected?
The issue only affects Docker images. If you used the Alpine linux installer,
setup-alpine, you are not affected.
You are not affected unless you have shadow or linux-pam packages
installed.
The issue was fixed in the following [Docker image releases]:
- edge (20190228 snapshot)
- v3.9.2
- v3.8.4
- v3.7.3
- v3.6.5
The following versions are EOL and still vulnerable:
- v3.5
- v3.4
- v3.3
How can I fix it?
Make sure that you use one of the supported releases and update your image.
If you use any of older, unsupported releases, then you can fix it by adding this line to your Dockerfile:
# make sure root login is disabled
RUN sed -i -e 's/^root::/root:!:/' /etc/shadow
Alternatively you could make sure that you don’t have linux-pam installed.