Patching the heartbleed vuln in a docker image?


(Michael Downey) #1

Hi there. The [Heartbleed Bug][1] is a serious vulnerability in the popular OpenSSL cryptographic software library.

We are using the Docker image on Digital Ocean and attempted to upgrade the host via the typical method: sudo apt-get update && sudo apt-get upgrade openssl libssl

After that, we did:

  • /var/docker/launcher destroy app
  • /var/docker/launcher bootstrap app
  • /var/docker/launcher start app

However after coming back up, our Discourse installation still appears to vulnerable. Is there something in the Docker image that needs to be updated?

Update: I did a ./launcher ssh app and went in to the Docker image, and noticed that the openssl there was still running an older version, OpenSSL 1.0.1c 10 May 2012. However, from within that Docker ssh session, I couldn’t upgrade it using apt-get. I didn’t want to do anything further to avoid breaking anything. :slight_smile:
[1]: http://heartbleed.com/


March 2015 OpenSSL updates
(Régis Hanol) #2

Well, whatever you do inside the docker image will not be persisted.

@supermathie updated and fixed the base docker image so here’s what I would do once it’s published to the global registry

cd /var/docker
git pull
./launcher destroy app
# app is down
./launcher bootstrap app
./launcher start app
# app is up

(Michael Downey) #3

Thanks, but unfortunately that didn’t work. (I also had to upgrade Docker to update.)

In fact, the OpenSSL version now running in the Docker image is even older, OpenSSL 1.0.1 14 Mar 2012.


(Michael Brown) #4

It has been updated but @Sam needs to publish it.


(Ryan) #5

Is it possible that the -dev ssl packages are still vulnerable and not patched? From the Dockerfile line 27 - 29

    apt-get -y install build-essential git curl wget \
                   libxslt-dev libcurl4-openssl-dev \
                   libssl-dev libyaml-dev libtool \

(Sander Datema) #6

I needed to reboot the VPS, maybe you need to do that too?


(Michael Downey) #7

Hmm. Are you getting a newer version reported by running openssl version -a after ssh-ing in to the Docker image?


(Kolt) #8

I have the identical issue after having followed the Digital Ocean/Docker tutorial. I have updated Ubuntu and followed the steps described by @zogstrip above.

In Ubuntu:

root@dis:/var/docker# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014

In Docker:

root@dis:~# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Thu Apr 19 16:25:22 UTC 2012

Note the difference in the built on dates.


(Régis Hanol) #9

see @supermathie’s previous answer


(Michael Brown) #10

OK now that I’m at my computer, if you do the following:

→ head -n6 image/base/Dockerfile #(verify you have the latest)
# DOCKER-VERSION 0.6.7 : samsaffron/discourse_base

# Official repo only has a ppa for postgresql 9.3 at the moment (14/3/2014)
# When new LTS ships we can upgrade

# VERSION 0.2.0

→ docker build -t samsaffron/discourse_base:0.2.0 image/base
→ docker build -t samsaffron/discourse:0.2.0 image

Then replace the image name in launcher:

image=samsaffron/discourse:0.2.0

You can do it all locally.


Patching Heartbleed
(Kolt) #11

I ran the following command:

docker build -t samsaffron/discourse_base:0.2.0 image/base

…but the build halted when it came to the “ruby-build 2.0.0-p451” part, returning an “error 137” related to rdoc.

I don’t know if it was some temporary glitch, but replacing

cd / && rm -rf /src/ruby-build && ruby-build 2.0.0-p451 /usr/local &&\

with

cd / && rm -rf /src/ruby-build && CONFIGURE_OPTS="--disable-install-doc" ruby-build 2.0.0-p451 /usr/local &&\

in

/var/docker/image/base/Dockerfile 

…seems to have gotten me through that issue. Additionally, I had to set-up a 1GB swap file on my server, which I had not done before. SSH-ing into Docker and running openssl version -a now returns the correct and updated version. :smile:


(Sam Saffron) #12

This is now patched.

git pull
./launcher rebuild ... 

(Michael Downey) #13

After upgrading docker and running the above, got the following:

Error: Cannot destroy container d89bc25291e8530f69f8194ec3b82ddff448b24899284edba40dcbfc339ca348: Unable to remove filesystem for d89bc25291e8530f69f8194ec3b82ddff448b24899284edba40dcbfc339ca348: remove /var/lib/docker/containers/d89bc25291e8530f69f8194ec3b82ddff448b24899284edba40dcbfc339ca348/root: device or resource busy
2014/04/08 21:57:16 Error: failed to remove one or more containers
Invalid cid file, deleting, please re-run

However after running ./launcher rebuild app a second time, all is well and Discourse is patched. Thanks! :slight_smile:


(Sam Saffron) #14

I did notice that the upgrade from docker 0.9.1 to 0.10 stops all the running containers, this could be the reason.


(Matt Culpepper) #15

Hmm, I’m having some issues as well relaunching. Getting the nginx 502 screen, this is in ./launcher logs app:

2014-04-09 04:45:35 UTC DETAIL: The data directory was initialized by PostgreSQL version 9.3, which is not compatible with this version 9.2.4.


(Sam Saffron) #16

Did you git pull our templates are all pg 9.3 … 9.2 is the old one we shipped.


(Matt Culpepper) #17

Yes, and it went through the postgres 9.3 upgrade. There was an error at
the end of the ./launcher rebuild process, but it said to run bootstrap
so I thought maybe it was expected. I will keep digging. any ideas?


(Sam Saffron) #18

This topic was automatically closed after 24 hours. New replies are no longer allowed.