48

On https://meltdownattack.com/ it is suggested that (in some cases?) scenarios with Docker containers are also vulnerable.

I'm a developer using Docker for two different purposes:

  • Images used for running build steps in GitLab CI/CD
  • A few images running in production in a cloud (Azure and AWS)

These images are a mix of things, ultimately based on either Alpine, Debian, or Ubuntu. Often my Dockerfile is based off some intermediate image, like one with Nodejs/NPM for a front-end build for example.

Assuming the base OS (e.g. Debian) has patched things in their latest update, what is the recommended way to get my own images up to date? For example if I'm using node:8.9.4 currently, do I have to monitor and wait for a newer tag that fixes the problem?

Jeroen
  • 849
  • 9
  • 15
  • 15
    You're vulnerable until GitLab and AWS fix their host machines. – Nick Jan 04 '18 at 16:40
  • About [the link](https://meltdownattack.com/), are Meltdown and Spectre "_hardware bugs_ [that] _allow programs to steal data etc._" (I think so) or are they programs, like in "_Meltdown and Spectre work on personal computers, mobile devices, and in the cloud._" or "_Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications_"? I realize what the authors meant and that they do know their stuff (as far as I can tell, as I'm no expert), but isn't such confused wording perplexing when it comes from supposedly authoritative sources? – SantiBailors Jan 05 '18 at 08:43
  • 1
    @SantiBailors I'm a bit confused about your comment, but it feels to me like you have a separate question you could possibly ask (it might need clarification though before others can answer). – Jeroen Jan 05 '18 at 11:31
  • @Jeroen I don't think my doubt is significant enough to make it a question. I had just noticed that while most of the article addresses Meltdown and Spectre as hardware bugs, some sentences seem to consider them as malignant programs instead, that antiviruses might fail to distinguish from regular programs. That made me perplexed and I was just wondering about that. Not something worth a question. – SantiBailors Jan 05 '18 at 12:12
  • @SantiBailors they refer to the fact that programs that might exploit these hardware bugs (meltdown and spectre) could be monitored for (ie by an antivirus or malware detector), but it is difficult because the exploits are not easy to detect (unlike other malware). This would apply to personal computers, phones and perhaps shared hostings, but not to Docker hosting providers. In that case, this is a hardware bug and it can only be patched at kernel level by the Docker hosting providers. About hardware virtual machines (ie EC2) and dedicated servers, you should patch those. – jjmontes Jan 05 '18 at 14:54

1 Answers1

85

The patch against Meltdown is kernel only. Docker containers run within the kernel of the host system. This means the resistance against Meltdown depends on the host kernel only. In other words: you don't need patches against Meltdown in the docker image and you cannot patch against Meltdown in the docker image.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 4
    On a side note, with Docker for Mac and Windows the host system is actually a Linux VM in which Docker runs. – Alexander O'Mara Jan 05 '18 at 15:22
  • 1
    I thought part of the amelioration proposed by Google was to disallow, by compiling differently, certain indirect branches. (They called it 'retpoline'?) Was this for kernel mode only or for user mode too? – davidbak Jan 05 '18 at 21:57
  • 1
    @davidbak: This question here is about Meltdown (rouge data cache load, CVE-2017-5754), the worst of the three vulnerabilities at least on Intel CPU and the one addressed by KPTI. retpoline is against branch target injection (Spectre vulnerability, CVE-20175715). See https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html for details. – Steffen Ullrich Jan 06 '18 at 03:39
  • This answer is incorrect, not only the kernel has been patched. There are userspace mitigations, as described here for ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown – Michael Allan Jackson Feb 04 '18 at 18:17
  • @MichaelA.Jackson: the user space mitigation you refer to (USN-3516-1, USN-3530-1) only deal with Spectre, not Meltdown. __This question is about Meltdown only__. USN-3521-1 and USN-3531-1 also deal only with Spectre but additionally these are only updates for graphic card driver or CPU microcode which makes them irrelevant for Docker. – Steffen Ullrich Feb 04 '18 at 18:56
  • USN-3516-1: Firefox vulnerabilities, makes reference to CVE-2017-5754 which is associated with meltdown, https://usn.ubuntu.com/usn/usn-3516-1 – Michael Allan Jackson Feb 20 '18 at 08:35
  • @MichaelA.Jackson: while these fixes might reduce the problem if the kernel is not patched against Meltdown they will not add additional protection against Meltdown if the kernel is patched. They will though add protections against Spectre since this can not be addressed by a kernel fix only. Thus my statement still applies: if the kernel is patched against Meltdown you don't need additional patches for Meltdown in Docker. Spectre is different though. – Steffen Ullrich Feb 20 '18 at 08:50