Docker Community Forums

Share and learn in the Docker community.

Meltdown / Spectre


(Iceshaft07) #1

Is docker affected by meltdown / spectre? If I update my host operating system, do I need to update the underlying container as well?


(Iceshaft07) #2

Is anyone here concerned about the security of their docker containers? This is a serious issue. Other malicious or infected containers could access other containers data.

What is the official response from Docker regarding Meltdown and Spectre? Are there any patches that must be applied to Docker?


(Emily Shepherd) #3

I’m with you on this, @iceshaft07, the lack of response on this is worryingly poor. Anyway, regarding your question:

Meltdown is only really a useful attack against the kernel, and as such it is mitigated against using KPTI, which is available in kernels 4.14.11 [[1]], 4.9.75 [[2]], 4.4.110 [[3]]. It has been pointed out, however, by Greg Kroah-Hartman, the maintainer of the Linux Stable branch, that the backports of this mitigation on 4.9.x and 4.4.x branches have their own problems, so updating to 4.14.11 or above is recommended, if possible [[4]]. Updated kernels are available for Arch Linux [[5]], Ubuntu [[6]], Debian [[7]], and others I’m sure.

Spectre is a lot harder to give a concrete answer on, as it covers a couple of exploits, and the exact way one would take advantage of these depends entirely on the application being attacked, if indeed the application is vulnerable. So for this one, keep an eye on the providers of the docker images that you use or, if you use your own images, it would be wise to rebuild these if and when specific patches for the software you are used is released. Most applications haven’t released updates yet.

On Spectre, further kernel updates are coming too [[8]], to better protect the kernel against Spectre attacks, and to help protect userspace applications too. These updates haven’t been merged into the stable yet so watch out for those as you’ll need to update again when they come. In addition, they make use of a chip ability called Indirect Branch Restricted Speculation (IBRS) which is not currently supported on Intel chipsets; microcode updates are required to enable it [[8]]. If you’re on a (big) cloud hosting provider, AWS for instance, they have already handled this for you [[9]]. If you run your own physical servers, you’ll need to wait as Intel has not yet provided a public release [[10]]. The instructions for updating this is specific to your distribution of Linux.

Final point, is the docker application itself vulnerable to Spectre? Well I don’t know, because Docker haven’t made a statement. Apparently the company who’s point is the separation of processes doesn’t think it’s worth commenting on the massive exploit which breaks the separation of processes… </passive-aggressive-stab>

Sorry for the wall of text, hope this helps :slight_smile: x

References: https://gist.github.com/EmilyShepherd/50581812693d2f3a6414da3f38cac46a

(I’m a new user, so I wasn’t allowed to put more than two in, so they are all in that gist instead ^^)


(Tai Lee) #4

When is someone at Docker Inc. going to say something about Meltdown/Spectre? This is a massive security issue that affects almost everyone, and the only statement I’ve found from Docker is:

These vulnerabilities do not directly affect Docker. However, as both are major processor level vulnerabilities, Docker recommends that customers follow standard operating procedure for OS kernel and/or security upgrades as quickly as possible.

That’s great, but what about Docker Cloud nodes that are provisioned and upgraded by Docker? When will Docker release an updated Docker Cloud node image so we can upgrade via Docker Cloud’s node/node-cluster UI?

Or when will Docker provide alternative instructions on how we are expected to apply (and maintain moving forward) OS level patches on Docker Cloud nodes as our clusters are scaled up and down?

This issue went public on Jan 3 and it’s now Jan 15 with no word from Docker about Docker Cloud customers are supposed to patch their nodes. I’ve also submitted an urgent support ticket days ago and have yet to receive any response. This is not good enough.

@dsheets I’m mentioning you only because I know you work for Docker and have previously commented on here about Docker for Mac performance issues. Hopefully you can bring this to someone’s attention on the Docker Cloud team.


(Jrusk) #5

Is there any news about Meltdown and Spectre for Docker Cloud nodes?