Overview In the process of creating images, some of Joyent’s internal-use SSH public keys were inadvertently left in certain published images. This led to the risk of potential unauthorized access to instances using the affected images.
Joyent acknowledges the assistance of an Open Source user in discovering this issue.
Background Joyent creates and publishes images to our Triton public cloud. These images are of various operating systems, to be used by customers in creating instances that run on the cloud.
Overview CVE-2019-5736 has been detected and remediation has been strategized, as detailed here.
This vulnerability relies on an unsafe container configuration known as privileged containers.
SmartOS is immune to this attack. While Triton and SmartOS implement the same interface as Docker, the runC program that is used on Linux is not used in SmartOS. SmartOS is immune to similar vulnerabilities that may exist in any other program because the SmartOS handles per-zone identity in a stricter fashion than Linux privileged containers.
Overview This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity “Dirty Cow” vulnerability first announced here (and on other sites) in November 2016.
Description This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping.
The only affected Joyent images are KVM images, so those have been updated accordingly.
How To Update Your Services SmartOS Users New releases of the Node.js and OpenSSL packages have been added to our pkgsrc repository (see below for specific details). The following latest package releases address the vulnerabilities outlined in this post’s “Original Notice” section:
nodejs-6.7.0.tgz (2016Q3) nodejs-4.6.0.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.12.16.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.10.47.tgz (2014Q4, 2015Q4, 2016Q3) openssl-1.0.2j.tgz (2015Q4, 2016Q3) openssl-1.0.2i.tgz (2015Q4) openssl-1.0.1u.tgz (2014Q4) If you are running on an older SmartOS image that is using a deprecated pkgsrc repository, you may still try installing the correct fixed package by using the following command (NOTE: please test for any potential incompatibilities on a non-production machine prior to trying this):
How To Update Your Services SmartOS Users New releases of the Node.js packages have been added to the 2016Q1 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice:
nodejs-5.12.0.tgz nodejs-4.4.7.tgz nodejs-0.12.15.tgz nodejs-0.10.46.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):
How To Update Your Services Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users Update to the fixed release of the affected versions, as shown in the table below:
CVE Version(s) Affected Fixed Release(s) Where Available CVE-2016-2108 OpenSSL 1.0.1, OpenSSL 1.0.2 OpenSSL 1.0.1o, OpenSSL 1.0.2c 2014Q2, 2014Q4 2015Q2 CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176 OpenSSL 1.0.1 OpenSSL 1.
How To Update Your Services SmartOS Users New releases of the node.js packages have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice:
nodejs-0.10.42.tgz nodejs-0.12.10.tgz nodejs-4.3.0.tgz nodejs-5.6.0.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):
How To Update Your Services SmartOS Users The new releases referenced in the “Original Notice” section (below) have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice:
openssl-1.0.1s.tgz (now available in the 2014Q4 pkgsrc repository) openssl-1.0.2g.tgz (now available in the 2015Q4 repository) If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):
Joyent Engineers are aware of the glibc (CVE-2015-7547) security vulnerability believed to be found in all versions of the glibc since 2.9. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.
For any Joyent customers using glibc in their [Docker containers2], LX zones, or KVM instances, it is advised to update glibc if you are on a vulnerable version.
Overview Please read this first
Through HP’s Zero Day Initiative, we have previously been made aware of the three security issues described in this Overview:
These vulnerabilities have already been fixed throughout the Joyent Public Cloud. On-premises Triton (SDC7) software customers can mitigate all of these issues by following the (previously-provided) instructions referenced in the Recommendations/Fixes section below. These three vulnerabilities will be announced on Tuesday, 16-February-2016 at Zero Day’s “Upcoming Advisories”.