TPS-2023-002 illumos#15822 bhyve fget_str buffer overflow (FreeBSD-SA-23:07)

Overview A vulnerability has been reported to the FreeBSD developers in bhyve that allows a vmm guest to overflow a buffer potentially allowing code execution outside the context of the vm. On SmartOS, the bhyve process runs in a non-privileged zone which limits the potential impact. Stack smashing support in the illumos kernel shiped with SmartOS may also mitigate exploitation. Actions Taken by Us This issue has been fixed in illumos#15822, and release-202300727 (platform stamp 20230804T193934Z) is now available which includes a fix for this issue.

TPS-2023-001 illumos kernel CVE-2023-31284

Overview A vulnerability has been found in the illumos kernel (CVE-2023-31284) that allows local users, including non-root users in zones, to panic the system. Any environment running untrusted workloads (e.g., public cloud environments) are strongly urged to update (see Actions You Need to Take below). Actions Taken by Us This issue has been fixed in illumos#15586, and release-20230504 (platform stamp 20230504T000449Z) is now available which includes a fix for this issue.

TPS-2022-003 CVE-2022-3602 OpenSSL 3.0

Overview OpenSSL versions from 3.x through 3.0.7 (earlier than 3.0.7) has been found to be vulnerable to a vulnerability that can lead to crash or unexpected behavior. SmartOS Platform Images 20211216 and later include OpenSSL 3. This affects the only the following components client applications when used from the platform image. curl wget openldap OpenSSL 3.0 is not yet included in any pkgsrc branch, so pkgsrc packages are unaffected.

TPS-2022-002 MNX Migration

Overview Now that MNX has acquired the Triton family of products, this security website has migrated to We are also now using a new issue key TPS instead of JSA. All existing JSA URLs will redirect to the new TPS. Actions You Need to Take There are no specific actions you need to take. Support If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

TPS-2022-001 tmpfs induced panic

Overview An unprivileged user, including users in a zone, with access to a tmpfs can induce a system panic resulting in the system rebooting. Actions taken by Joyent A new platform image is available in the release channel (20220118T183559Z), and updated SmartOS boot images are available in Manta. Actions You Need to Take Triton Operators This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image.

TPS-2021-003 Triton and Manta not vulnerable to CVE-2021-44228, CVE-2021-4104 (log4j)

Overview As has been widely reported, log4j (a Java logging library) is vulnerable to remote code execution. See Triton and Manta use zookeeper for state management of Manatee, and for service component registration in the binder or nameservice component. While our version of zookeeper does include log4j, we use version 1.2.15 which is not vulnerable to CVE-2021-44228 according to the Apache advisory. Additionally, CVE-2021-4104 covers usage of log4j when using JMSAppender.

TPS-2021-002 http-signature

Overview This notice is to advise Joyent customers and open source users of Triton and Manta about a prototype pollution vulnerability in json-schema, a 3rd-party dependency of http-signature. Http-signature is the authentication component of CloudAPI and Manta. It is not known that http-signature is exploitable, but has been updated to preclude the possibility of exploitation. Triton cloudapi and Manta webapi have been updated with the current version of http-signature. Description Further details surrounding the vulnerability in json-schema can be found in the SNYK security advisory.

TPS-2021-001 CVE-2021-40346 - HA Proxy

Overview This notice is to advise Joyent customers and open source users of Triton and Manta about CVE-2021-40346, a potential security vulnerability where an attacker may bypass http-request HAProxy ACLs. Description Further details surrounding this vulnerability (including a list of applications/services that may be vulnerable) can be found in this alert from CVE. Actions taken by Joyent The fix has been made available for upstream inclusion and has been deployed into our production environment.

TPS-2020-001 CVE-2020-27678 - libpam

Overview A critical vulnerability was found in the illumos Pluggable Authentication Module library due to insufficient bounds checking. This issue affects all illumos distributions using illumos PAM. Actions taken by Joyent The illumos community has fixed the issue, which has been merged into Joyent’s fork of illumos. Release platform images dated 20201022 or later are available that resolve this issue. Actions You Need to Take It is recommended for all users to reboot all Triton and SmartOS compute nodes to a platform image that contains the fix.

TPS-2019-003 Intel Microarchitectural Data Sampling (CVE-2018-12127, CVE-2018-12126, CVE-2018-12130, CVE-2019-11091)

Overview This advisory covers four different vulnerabilities, collectively termed Microarchitectural Data Sampling (MDS): Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091 These vulnerabilities impact customers running on the Triton Public Cloud and operators of Triton Enterprise software. Understanding the Vulnerabilities These vulnerabilities target different parts of the processor’s microarchitecture or implementation.