Alpine Linux had null root password since 2015

Alpine Linux is quite often used to build Docker containers, because it’s so compact. The main thing that might prevent you using Alpine is that it doesn’t include glibc, which lots of software requires. So I wonder how many Docker containers are running a vulnerable version these days. Probably tens or hundreds of millions.

UPDATE 20190518 I checked both LXD and Docker Alpine Linux images, and both had null root passwords (root::) listed in /etc/shadow. Still exists days after the exposure of this oversight. They also both came with no network services enabled by default, so any flaw in security is really your own introduction, and failure to lock down the image and test security access during deployment.

Source: CVE-2019-5021