Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton on-premises software customers and Open Source Triton users of a high-severity arbitrary Docker file overwrite vulnerability that could be introduced using Docker file copy and Docker build. Description The following security vulnerability has been identified by Ben with Zero Day Initiative (ZDI): ZDI-CAN-3853 Through ZDI, we have previously been made aware of this issue. Here is a brief description of the issue and the resolution:

Overview This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity “Dirty Cow” vulnerability first announced here (and on other sites) in November 2016. Description This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping. The only affected Joyent images are KVM images, so those have been updated accordingly.

Overview This notice is to advise the user groups identified below of a recently-discovered, /proc filesystem permission vulnerability. The issue was reported directly to Joyent Engineering by a security researcher. Description This high-severity vulnerability exists in the core SmartOS platform. The exploit allows non-root users to create objects in the /proc directory within the zone. The validations for filesystem permissions have been hardened to prevent such unauthorized actions. The following user groups are affected Joyent customers using on-premises Triton software All users of SmartOS, including Triton public cloud customers (the fix has already been applied across the entire public cloud) Users of Open Source Triton Actions Taken by Joyent Joyent has created a new Platform Image (PI) containing fixes that address these vulnerabilities.

Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton Enterprise software customers and Open Source Triton users of four SmartOS/file system vulnerabilities reported by Cisco Talos. Description On 13-December-2016, Cisco Talos reported three privilege escalation vulnerabilities that result from exploits on the ioctl() function. Based on our investigation, the exploits are actually not possible as either a regular user or as root from within a zone.

Overview This notice is to advise the user groups identified below of recently-discovered, arbitrary kernel-mode code execution vulnerabilities. These issues were reported directly to Joyent Engineering by an individual user. Description These high-severity vulnerabilities exist in the core SmartOS platform, and have been present since (at least) OpenSolaris times. Attackers can potentially exploit certain system calls to obtain root privileges. Input validations for the system calls involved have been hardened to prevent such malicious attempts.

How To Update Your Services SmartOS Users New releases of the Node.js and OpenSSL packages have been added to our pkgsrc repository (see below for specific details). The following latest package releases address the vulnerabilities outlined in this post’s “Original Notice” section: nodejs-6.7.0.tgz (2016Q3) nodejs-4.6.0.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.12.16.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.10.47.tgz (2014Q4, 2015Q4, 2016Q3) openssl-1.0.2j.tgz (2015Q4, 2016Q3) openssl-1.0.2i.tgz (2015Q4) openssl-1.0.1u.tgz (2014Q4) If you are running on an older SmartOS image that is using a deprecated pkgsrc repository, you may still try installing the correct fixed package by using the following command (NOTE: please test for any potential incompatibilities on a non-production machine prior to trying this):

How To Update Your Services SmartOS Users New releases of the Node.js packages have been added to the 2016Q1 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-5.12.0.tgz nodejs-4.4.7.tgz nodejs-0.12.15.tgz nodejs-0.10.46.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

How To Update Your Services Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users Update to the fixed release of the affected versions, as shown in the table below: CVE Version(s) Affected Fixed Release(s) Where Available CVE-2016-2108 OpenSSL 1.0.1, OpenSSL 1.0.2 OpenSSL 1.0.1o, OpenSSL 1.0.2c 2014Q2, 2014Q4 2015Q2 CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176 OpenSSL 1.0.1 OpenSSL 1.

Overview Introduction This notice is to ensure that all Triton Cloud customers, all on-premises operators of Triton Enterprise (formerly SmartDataCenter or SDC) and all open source Triton users are aware of vulnerabilities reported to us by research contributors at Trend Micro’s Zero Day Initiative, and some discovered by our own Engineering team: All necessary fixes have been applied to Triton Cloud (formerly Joyent Public Cloud or JPC). No action is required by Triton Cloud customers.

How To Update Your Services SmartOS Users New releases of the node.js packages have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-0.10.42.tgz nodejs-0.12.10.tgz nodejs-4.3.0.tgz nodejs-5.6.0.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):