Does Docker contain the Heardbleed exploit?

Lets assume, I have an vulnerable OpenSSL server in a Docker.io Container. Does Docker prevent memory from the host being read?

My assuption is, it does. Because the bug is in OpenSSL and not in the Kernel and Docker should isolate root access in the container. But the Wikipedia only says “partial Root privilege isolation” and suggests its dependent on the backend. So please specify if you answer using libcontainer or lxc or something else.

  • Docker + SSH + Git Clone Isssue
  • JGroups doesnt form a cluster while running inside docker across multiple nodes
  • All node modules in package.json are being re-downloaded after small change
  • How to start service in docker container at start up
  • How to mimic '--volumes-from' in Kubernetes
  • Docker: multiple PHP7-FPM containers on different ports
  • php support for mongoDB
  • Google Container Registry access denied when pushing docker container
  • “Remove” a VOLUME in a Dockerfile
  • Run docker inside a docker container?
  • How to make docker to stop container when host process attached to tty terminates
  • How to run cron in Docker container from Ruby image
  • 2 Solutions collect form web for “Does Docker contain the Heardbleed exploit?”

    If a vulnerable server runs in a container, only that container’s memory will be leaked.

    In fact, even without containers, only that server’s process memory will be leaked. For instance, if you have a vulnerable Apache+OpenSSL server and an SSH server running on the same machine, an attacker can get memory fragments from the Apache server, but will never be able to get access to anything from the SSH server. (Unless this Apache server is used to distribute SSH private keys or something like that, of course…)

    This related question suggests only the vulnerable application’s memory is affected. And unless one can fetch local login data or otherwise gain local root access, this question is pretty irrelevant.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.