TPS-2024-002 OpenSSH CVE-2024-6387 - Race condition in sshd may allow remote code execution

Overview A remote code execution vulnerability has been discovered in OpenSSH sshd. At current, only glibc-based Linux systems are known to be vulnerable. Smartos, being neither Linux nor glibc-based is not currently known to be affected. This issue is a regression of CVE-2006-5051, (“Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code”), and therefore may be possible on non-glibc and non-Linux systems, such as SmartOS.

TPS-2024-001 SmartOS / Triton not affected by CVE-2024-3094

Overview Recently a back door was discovered in the xz-utils software. This appears to have been introduced by a malicious party with ownership access to the repository. The back door targets Linux systems running OpenSSH and systemd when xz is at version 5.6.0 or 5.6.1. At the current time we have high confidence that the back door does not work on SmartOS. Linux binaries running in lx-brand zones may still be affected.

TPS-2023-003 OpenSSL Multiple CVEs

Overview OpenSSL has released an [advisory for multiple CVEs]. This affects the only the following components client applications when used from the platform image. curl wget openldap node.js (as used by imgadm) Pkgsrc packages Triton services and API endpoints (e.g., CloudAPI) are unaffected. Actions taken by Us This issue has been fixed in the SmartOS platform image in OS-8442. Platform images including the associated commit (release-20220209 and later) have been fixed.

TPS-2023-002 illumos#15822 bhyve fget_str buffer overflow (FreeBSD-SA-23:07)

Overview A vulnerability has been reported to the FreeBSD developers in bhyve that allows a vmm guest to overflow a buffer potentially allowing code execution outside the context of the vm. On SmartOS, the bhyve process runs in a non-privileged zone which limits the potential impact. Stack smashing support in the illumos kernel shiped with SmartOS may also mitigate exploitation. Actions Taken by Us This issue has been fixed in illumos#15822, and release-202300727 (platform stamp 20230804T193934Z) is now available which includes a fix for this issue.

TPS-2023-001 illumos kernel CVE-2023-31284

Overview A vulnerability has been found in the illumos kernel (CVE-2023-31284) that allows local users, including non-root users in zones, to panic the system. Any environment running untrusted workloads (e.g., public cloud environments) are strongly urged to update (see Actions You Need to Take below). Actions Taken by Us This issue has been fixed in illumos#15586, and release-20230504 (platform stamp 20230504T000449Z) is now available which includes a fix for this issue.

TPS-2022-003 CVE-2022-3602 OpenSSL 3.0

Overview OpenSSL versions from 3.x through 3.0.7 (earlier than 3.0.7) has been found to be vulnerable to a vulnerability that can lead to crash or unexpected behavior. SmartOS Platform Images 20211216 and later include OpenSSL 3. This affects the only the following components client applications when used from the platform image. curl wget openldap OpenSSL 3.0 is not yet included in any pkgsrc branch, so pkgsrc packages are unaffected.

TPS-2022-002 MNX Migration

Overview Now that MNX has acquired the Triton family of products, this security website has migrated to https://security.tritondatacenter.com. We are also now using a new issue key TPS instead of JSA. All existing JSA URLs will redirect to the new TPS. Actions You Need to Take There are no specific actions you need to take. Support If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

TPS-2022-001 tmpfs induced panic

Overview An unprivileged user, including users in a zone, with access to a tmpfs can induce a system panic resulting in the system rebooting. Actions taken by Joyent A new platform image is available in the release channel (20220118T183559Z), and updated SmartOS boot images are available in Manta. Actions You Need to Take Triton Operators This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image.

TPS-2021-003 Triton and Manta not vulnerable to CVE-2021-44228, CVE-2021-4104 (log4j)

Overview As has been widely reported, log4j (a Java logging library) is vulnerable to remote code execution. See https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228. Triton and Manta use zookeeper for state management of Manatee, and for service component registration in the binder or nameservice component. While our version of zookeeper does include log4j, we use version 1.2.15 which is not vulnerable to CVE-2021-44228 according to the Apache advisory. Additionally, CVE-2021-4104 covers usage of log4j when using JMSAppender.

TPS-2021-002 http-signature

Overview This notice is to advise Joyent customers and open source users of Triton and Manta about a prototype pollution vulnerability in json-schema, a 3rd-party dependency of http-signature. Http-signature is the authentication component of CloudAPI and Manta. It is not known that http-signature is exploitable, but has been updated to preclude the possibility of exploitation. Triton cloudapi and Manta webapi have been updated with the current version of http-signature. Description Further details surrounding the vulnerability in json-schema can be found in the SNYK security advisory.