TPS-2015-007 OpenSSL OpenSSL Security Advisory

SmartOS Users As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL. CVE Version(s) Affected Fixed Release(s) Where Available (pkgsrc repo) CVE-2015-3193 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3 CVE-2015-3194 OpenSSL 1.0.2, 1.0.1 OpenSSL 1.

TPS-2015-006 OpenSSL "Man-in-the-Middle" Vulnerability (CVE-2015-1793)

Introduction This advisory describes the scope of the recently-announced, “high-severity” OpenSSL vulnerability classified as CVE-2015-1793. This vulnerability could allow “man-in-the-middle” attackers to impersonate HTTPS servers and snoop on encrypted traffic. Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take. This article is meant to be used in addition to our 18-June-2015 and 20-March-2015 advisories regarding previously-announced OpenSSL vulnerabilities. Upgrading your own OpenSSL version 1.

TPS-2015-005 Vulnerability in Node.js 0.11.x thru 0.12.5

Summary Vulnerability in Node.js 0.11.x thru 0.12.5 – this issue is resolved as follows in Node.js version 0.12.6: Fixed an out-of-band write in utf8 decoder. Impacts all Buffer to String conversions. This is an important security update as it can be used to cause a denial of service attack. Status pkgsrc 2014Q4 and 2015Q1 have been updated with nodejs-0.12.6. Customers can upgrade as follows: pkgin up pkgin upgrade nodejs If you have any questions regarding this issue, please contact Joyent Support by creating a ticket at https://help.

TPS-2015-004 Logjam and Other Recent OpenSSL Vulnerabilities

Introduction This advisory describes the scope of the following recently-announced OpenSSL vulnerabilities, including Logjam: CVE-2015-4000 (Logjam) CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1792 CVE-2015-1791 CVE-2014-8176 Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take: We made this advisory public on 18-June-2015. This advisory is meant to be used in addition to our 20-March-2015 article regarding previously-announced OpenSSL vulnerabilities. Upgrading your own OpenSSL version 1.

TPS-2015-003 Venom (CVE-2015-3456) in KVM/QEMU

Joyent Engineers are aware of the Venom (CVE-2015-3456) security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Although the flaw exists in our KVM/QEMU in the Joyent software (SmartDataCenter and the Joyent Public Cloud), our architecture runs QEMU inside of an additional secure container with almost no privileges.

TPS-2015-002 Addressing Recent OpenSSL Vulnerabilities

The following sections describe the scope of several recently-announced Open SSL Vulnerabilities. We have included actions being taken by Joyent, and actions recommended for customers to take. CVEs specific to OpenSSL version 1.0.2 Joyent has never shipped any versions of OpenSSL version 1.0.2 to customers, either in pkgsrc or as part of SmartDataCenter (SDC). If we do ship 1.0.2 versions in the future, they will be those versions known to contain the recent security fixes.

TPS-2015-001 Security Advisory for "GHOST" Vulnerability on Linux Systems (CVE-2015-0235)

This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified glibc Linux security issue CVE-2015-0235 (GHOST). This vulnerability can be triggered by the gethostbyname functions, impacting many systems built on Linux. How can you determine whether you are vulnerable? You can scan for this vulnerability using the Qualys Vulnerability Management Cloud Solution as QID 123191. If you think you may be affected, patches are available from all of the Linux vendors starting today.

TPS-2014-005 Kerberos Checksum Vulnerability (CVE-2014-6324) Advisory

This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified Kerberos Checksum Vulnerability (CVE-2014-6324) for anyone using Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2. If you are running a Windows VM, your environment may allow remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket.

TPS-2014-004 Bash Vulnerability CVE-2014-6271 & CVE-2014-7169 (Shellshock) - remote code execution through bash

This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified bash security vulnerability CVE-2014-6271 (http://seclists.org/oss-sec/2014/q3/649) and the follow-on CVE-2014-7169 (https://access.redhat.com/security/cve/CVE-2014-7169), collectively known as Shellshock. Note that CVE-2014-7169 has arisen due to incomplete fixes created for the CVE-2014-6271 vulnerability. (These fixes are created by the upstream maintainers of bash, not by Joyent.) AT THIS TIME, JOYENT has patched the platform bash addressing CVE-2014-6271 as well as CVE-2014-7169 in the Joyent Public Cloud.

TPS-2014-003 Important Heartbleed Notice - Action Required

We are posting this information as a follow up to prior notices on the Heartbleed bug to ensure customers have reviewed the suggested steps to identify and remediate any vulnerabilities. Heartbleed is a security vulnerability in the OpenSSL encryption software, which is used by a large portion of the secured websites/systems on the Internet, and may also be used by you in your web sites, and/or applications hosted on the Joyent Cloud platform.