Alpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked

For three years, some Alpine Linux Docker images have shipped with a root account and no password, opening the door for attackers to easily access vulnerable servers and workstations provisioned for the images. Affected versions of Alpine Linux Docker distros include 3.3, 3.4, 3.5, 3.6, 3.7, 3.8 and 3.9 Alpine Docker Edge, according to Cisco Talos researchers who discovered the bug,tested each version and released their findings on Wednesday. Vulnerable images of Alpine Linux Dockers were available via the official Docker Hub portal since late 2015.

Cisco Talos warns of hardcoded credentials in Alpine Linux Docker Images

Since December 2015, Alpine Linux Docker images have been shipped with hardcoded credentials, a NULL password for the root user. The NULL password for the root account was included in the Official Alpine Linux Docker images since v3.3. The bug received a CVSS score of 9.8, it affects Alpine Docker versions 3.3 to 3.9, including Alpine Docker Edge.

The issue wasfirst reported in August 2015 and patched in November, evidently, it was re-introducedin December 2015. The NULL passoword is present in the/etc/shadowfile of the affected builds of the Alpine Docker Image.