Overview Recently a back door was discovered in the xz-utils software. This appears to have been introduced by a malicious party with ownership access to the repository. The back door targets Linux systems running OpenSSH and systemd when xz is at version 5.6.0 or 5.6.1.
At the current time we have high confidence that the back door does not work on SmartOS. Linux binaries running in lx-brand zones may still be affected.
Overview OpenSSL has released an [advisory for multiple CVEs].
This affects the only the following components client applications when used from the platform image.
curl wget openldap node.js (as used by imgadm) Pkgsrc packages
Triton services and API endpoints (e.g., CloudAPI) are unaffected.
Actions taken by Us This issue has been fixed in the SmartOS platform image in OS-8442. Platform images including the associated commit (release-20220209 and later) have been fixed.
Overview A vulnerability has been reported to the FreeBSD developers in bhyve that allows a vmm guest to overflow a buffer potentially allowing code execution outside the context of the vm.
On SmartOS, the bhyve process runs in a non-privileged zone which limits the potential impact. Stack smashing support in the illumos kernel shiped with SmartOS may also mitigate exploitation.
Actions Taken by Us This issue has been fixed in illumos#15822, and release-202300727 (platform stamp 20230804T193934Z) is now available which includes a fix for this issue.
Overview A vulnerability has been found in the illumos kernel (CVE-2023-31284) that allows local users, including non-root users in zones, to panic the system.
Any environment running untrusted workloads (e.g., public cloud environments) are strongly urged to update (see Actions You Need to Take below).
Actions Taken by Us This issue has been fixed in illumos#15586, and release-20230504 (platform stamp 20230504T000449Z) is now available which includes a fix for this issue.
Overview OpenSSL versions from 3.x through 3.0.7 (earlier than 3.0.7) has been found to be vulnerable to a vulnerability that can lead to crash or unexpected behavior.
SmartOS Platform Images 20211216 and later include OpenSSL 3. This affects the only the following components client applications when used from the platform image.
curl wget openldap OpenSSL 3.0 is not yet included in any pkgsrc branch, so pkgsrc packages are unaffected.
Overview Now that MNX has acquired the Triton family of products, this security website has migrated to https://security.tritondatacenter.com. We are also now using a new issue key TPS instead of JSA. All existing JSA URLs will redirect to the new TPS.
Actions You Need to Take There are no specific actions you need to take.
Support If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.
Overview An unprivileged user, including users in a zone, with access to a tmpfs can induce a system panic resulting in the system rebooting.
Actions taken by Joyent A new platform image is available in the release channel (20220118T183559Z), and updated SmartOS boot images are available in Manta.
Actions You Need to Take Triton Operators This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image.
Overview A critical vulnerability was found in the illumos Pluggable Authentication Module library due to insufficient bounds checking. This issue affects all illumos distributions using illumos PAM.
Actions taken by Joyent The illumos community has fixed the issue, which has been merged into Joyent’s fork of illumos. Release platform images dated 20201022 or later are available that resolve this issue.
Actions You Need to Take It is recommended for all users to reboot all Triton and SmartOS compute nodes to a platform image that contains the fix.
Overview This advisory covers four different vulnerabilities, collectively termed Microarchitectural Data Sampling (MDS):
Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091 These vulnerabilities impact customers running on the Triton Public Cloud and operators of Triton Enterprise software.
Understanding the Vulnerabilities These vulnerabilities target different parts of the processor’s microarchitecture or implementation.
Overview This vulnerability, CVE-2018-17160, was detected and remediated by the FreeBSD community, as detailed in their disclosure.
The issue was caused by insufficient bounds checking for one of the emulated virtual devices. The vulnerability could be exploited to permit a guest operating system to overwrite memory in the bhyve(8) processing, making it possible to execute arbitrary code on the host.
Actions Taken by Joyent The upstream fix in the FreeBSD bhyve project has been merged into SmartOS and made available for all Triton and SmartOS users in the latest platform image release, 20181206T011455Z.
