Time to Rebuild Alpine Linux Docker Containers After Package Manager Patch

Anybody using Alpine Linux in containers has a little patching to do. It appears a little problem has been discovered in apk, the distribution's default package manager, that makes all Alpine-derived images suspect. The good news is that a patch is already available.

Alpine Linux is an uber lightweight distribution (it weighs in at only 5 MB) which has been Docker's distro of choice for containers since 2016. Like a lot of things Linux, Alpine is a fork of another Linux distro, the no-longer-in-development Linux Router Project (LRP) which was intended for routers, terminal servers, embedded networking systems and the like. LRP was even smaller and could neatly fit onto a single floppy (that would be 1.44 MB for those not old enough to remember ancient times).

This latest security bug was found by Max Justicz, a researcher and founder of the crowd-funded bug bounty system, Bountygraph, who announced it on Thursday in a blog. The hole can be exploited to inject arbitrary code by anyone with man-in-the-middle network access or by way of a malicious package mirror. This is particularly troubling, Justicz said, because apk packages are generally not served over secure TLS connections.

"After gaining code execution, I figured out a cool way to make the original apk process exit with a 0 exit code (without needing the SYS_PTRACE capability) by writing to /proc//mem," he said. "The result is that a Dockerfile that installs packages with apk can be exploited and still build successfully."

What this means is that an attacker could intercept a package request as a Alpine Linux Docker image is being built and add malicious code that target machines would then unpack and run within the Docker container.

The vulnerability takes advantage of the process apk uses to unpack archives (an apk package arrives as a gzipped tar file) and look for suspicious code. According to Justicz, malware can escape detection by being hidden inside the package's commit_hooks directory.

The patched version of apk is now included in the latest version of Alpine and users are advised to rebuild Docker images using this latest build of Alpine.

While you're at it, Justicz suggests making a donation to Alpine developers.

"It seems like apk has one main developer who fixed this bug in less than a week," he said. "The lead maintainer of Alpine cut a new release shortly thereafter."