smartos

TPS-2024-002 OpenSSH CVE-2024-6387 - Race condition in sshd may allow remote code execution

Overview A remote code execution vulnerability has been discovered in OpenSSH sshd. At current, only glibc-based Linux systems are known to be vulnerable. Smartos, being neither Linux nor glibc-based is not currently known to be affected. This issue is a regression of CVE-2006-5051, (“Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code”), and therefore may be possible on non-glibc and non-Linux systems, such as SmartOS.

TPS-2024-001 SmartOS / Triton not affected by CVE-2024-3094

Overview Recently a back door was discovered in the xz-utils software. This appears to have been introduced by a malicious party with ownership access to the repository. The back door targets Linux systems running OpenSSH and systemd when xz is at version 5.6.0 or 5.6.1. At the current time we have high confidence that the back door does not work on SmartOS. Linux binaries running in lx-brand zones may still be affected.

TPS-2023-003 OpenSSL Multiple CVEs

Overview OpenSSL has released an [advisory for multiple CVEs]. This affects the only the following components client applications when used from the platform image. curl wget openldap node.js (as used by imgadm) Pkgsrc packages Triton services and API endpoints (e.g., CloudAPI) are unaffected. Actions taken by Us This issue has been fixed in the SmartOS platform image in OS-8442. Platform images including the associated commit (release-20220209 and later) have been fixed.

TPS-2023-002 illumos#15822 bhyve fget_str buffer overflow (FreeBSD-SA-23:07)

Overview A vulnerability has been reported to the FreeBSD developers in bhyve that allows a vmm guest to overflow a buffer potentially allowing code execution outside the context of the vm. On SmartOS, the bhyve process runs in a non-privileged zone which limits the potential impact. Stack smashing support in the illumos kernel shiped with SmartOS may also mitigate exploitation. Actions Taken by Us This issue has been fixed in illumos#15822, and release-202300727 (platform stamp 20230804T193934Z) is now available which includes a fix for this issue.

TPS-2023-001 illumos kernel CVE-2023-31284

Overview A vulnerability has been found in the illumos kernel (CVE-2023-31284) that allows local users, including non-root users in zones, to panic the system. Any environment running untrusted workloads (e.g., public cloud environments) are strongly urged to update (see Actions You Need to Take below). Actions Taken by Us This issue has been fixed in illumos#15586, and release-20230504 (platform stamp 20230504T000449Z) is now available which includes a fix for this issue.

TPS-2022-003 CVE-2022-3602 OpenSSL 3.0

Overview OpenSSL versions from 3.x through 3.0.7 (earlier than 3.0.7) has been found to be vulnerable to a vulnerability that can lead to crash or unexpected behavior. SmartOS Platform Images 20211216 and later include OpenSSL 3. This affects the only the following components client applications when used from the platform image. curl wget openldap OpenSSL 3.0 is not yet included in any pkgsrc branch, so pkgsrc packages are unaffected.

TPS-2022-002 MNX Migration

Overview Now that MNX has acquired the Triton family of products, this security website has migrated to https://security.tritondatacenter.com. We are also now using a new issue key TPS instead of JSA. All existing JSA URLs will redirect to the new TPS. Actions You Need to Take There are no specific actions you need to take. Support If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

TPS-2022-001 tmpfs induced panic

Overview An unprivileged user, including users in a zone, with access to a tmpfs can induce a system panic resulting in the system rebooting. Actions taken by Joyent A new platform image is available in the release channel (20220118T183559Z), and updated SmartOS boot images are available in Manta. Actions You Need to Take Triton Operators This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image.

TPS-2020-001 CVE-2020-27678 - libpam

Overview A critical vulnerability was found in the illumos Pluggable Authentication Module library due to insufficient bounds checking. This issue affects all illumos distributions using illumos PAM. Actions taken by Joyent The illumos community has fixed the issue, which has been merged into Joyent’s fork of illumos. Release platform images dated 20201022 or later are available that resolve this issue. Actions You Need to Take It is recommended for all users to reboot all Triton and SmartOS compute nodes to a platform image that contains the fix.

TPS-2019-003 Intel Microarchitectural Data Sampling (CVE-2018-12127, CVE-2018-12126, CVE-2018-12130, CVE-2019-11091)

Overview This advisory covers four different vulnerabilities, collectively termed Microarchitectural Data Sampling (MDS): Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091 These vulnerabilities impact customers running on the Triton Public Cloud and operators of Triton Enterprise software. Understanding the Vulnerabilities These vulnerabilities target different parts of the processor’s microarchitecture or implementation.