Does Docker contain the Heardbleed exploit?
Lets assume, I have an vulnerable OpenSSL server in a Docker.io Container. Does Docker prevent memory from the host being read?
My assuption is, it does. Because the bug is in OpenSSL and not in the Kernel and Docker should isolate root access in the container. But the Wikipedia only says “partial Root privilege isolation” and suggests its dependent on the backend. So please specify if you answer using libcontainer or lxc or something else.
2 Solutions collect form web for “Does Docker contain the Heardbleed exploit?”
If a vulnerable server runs in a container, only that container’s memory will be leaked.
In fact, even without containers, only that server’s process memory will be leaked. For instance, if you have a vulnerable Apache+OpenSSL server and an SSH server running on the same machine, an attacker can get memory fragments from the Apache server, but will never be able to get access to anything from the SSH server. (Unless this Apache server is used to distribute SSH private keys or something like that, of course…)
This related question suggests only the vulnerable application’s memory is affected. And unless one can fetch local login data or otherwise gain local root access, this question is pretty irrelevant.