/tags/smartos/ Recent content in smartos on Triton Product Security Hugo -- gohugo.io en-us Sun, 24 May 2026 12:00:00 -0400 /tps-2026-001/ Sun, 24 May 2026 12:00:00 -0400 /tps-2026-001/ Overview Per an email sent to the illumos community, we have respun the 20260514 SmartOS release (which also accompanies the 20260514 Triton release) to fix this vulnerability. We recommend updating to this release, build stamp 20260522T154557Z, as soon as possible. Actions Taken by Us We have respun the 20260514 SmartOS release, build stamp 20260522T154557Z. All version one can obtain: ISO, USB, Platform Image, and VMware image, are available for installation for either standalone SmartOS or for Triton deployments. /tps-2025-002/ Thu, 13 Mar 2025 14:37:00 -0400 /tps-2025-002/ Overview Per today’s email to SmartOS and Triton discussion lists, we are are taking down image 60f76fd2-143f-4f57-819b-1ae32684e81b from our image repository today. That image has pre-generated SSH host keys. Unless an LX zone had regenerated these keys, they are shared across all LX zones running that image. Actions Taken by Us Prior to the aforementioned discovery, we had updated the Debian 12 LX image to 28f872d5-8227-4f7d-b8f6-30bd5db1f1ac (dated 2025-01-20). We have removed image 60f76fd2-143f-4f57-819b-1ae32684e81b (dated 2024-07-06) completely. /tps-2025-001/ Wed, 19 Feb 2025 11:53:42 -0500 /tps-2025-001/ Overview The Qualys Security Advisory team discovered two vulnerabilities in OpenSSH 9.9p1. From the OpenSSH 9.9p2 release notes: CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1 (inclusive) contained a logic error that allowed an on-path attacker (a.k.a MITM) to impersonate any server when the VerifyHostKeyDNS option is enabled. This option is off by default. CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1 (inclusive) is vulnerable to a memory/CPU denial-of-service related to the handling of SSH2_MSG_PING packets. /tps-2024-002/ Mon, 01 Jul 2024 00:00:00 +0000 /tps-2024-002/ Overview A remote code execution vulnerability has been discovered in OpenSSH sshd. At current, only glibc-based Linux systems are known to be vulnerable. Smartos, being neither Linux nor glibc-based is not currently known to be affected. This issue is a regression of CVE-2006-5051, (“Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code”), and therefore may be possible on non-glibc and non-Linux systems, such as SmartOS. /tps-2024-001/ Fri, 29 Mar 2024 00:00:00 +0000 /tps-2024-001/ Overview Recently a back door was discovered in the xz-utils software. This appears to have been introduced by a malicious party with ownership access to the repository. The back door targets Linux systems running OpenSSH and systemd when xz is at version 5.6.0 or 5.6.1. At the current time we have high confidence that the back door does not work on SmartOS. Linux binaries running in lx-brand zones may still be affected. /tps-2023-003/ Fri, 03 Nov 2023 00:00:00 +0000 /tps-2023-003/ Overview OpenSSL has released an [advisory for multiple CVEs]. This affects the only the following components client applications when used from the platform image. curl wget openldap node.js (as used by imgadm) Pkgsrc packages Triton services and API endpoints (e.g., CloudAPI) are unaffected. Actions taken by Us This issue has been fixed in the SmartOS platform image in OS-8442. Platform images including the associated commit (release-20220209 and later) have been fixed. /tps-2023-002/ Fri, 04 Aug 2023 00:00:00 +0000 /tps-2023-002/ Overview A vulnerability has been reported to the FreeBSD developers in bhyve that allows a vmm guest to overflow a buffer potentially allowing code execution outside the context of the vm. On SmartOS, the bhyve process runs in a non-privileged zone which limits the potential impact. Stack smashing support in the illumos kernel shiped with SmartOS may also mitigate exploitation. Actions Taken by Us This issue has been fixed in illumos#15822, and release-202300727 (platform stamp 20230804T193934Z) is now available which includes a fix for this issue. /tps-2023-001/ Thu, 04 May 2023 00:00:00 +0000 /tps-2023-001/ Overview A vulnerability has been found in the illumos kernel (CVE-2023-31284) that allows local users, including non-root users in zones, to panic the system. Any environment running untrusted workloads (e.g., public cloud environments) are strongly urged to update (see Actions You Need to Take below). Actions Taken by Us This issue has been fixed in illumos#15586, and release-20230504 (platform stamp 20230504T000449Z) is now available which includes a fix for this issue. /tps-2022-003/ Thu, 03 Nov 2022 00:00:00 +0000 /tps-2022-003/ Overview OpenSSL versions from 3.x through 3.0.7 (earlier than 3.0.7) has been found to be vulnerable to a vulnerability that can lead to crash or unexpected behavior. SmartOS Platform Images 20211216 and later include OpenSSL 3. This affects the only the following components client applications when used from the platform image. curl wget openldap OpenSSL 3.0 is not yet included in any pkgsrc branch, so pkgsrc packages are unaffected. For LX, Docker, KVM, or BHYVE guests, follow the advisory of the guest operating system’s upstream vendor. /tps-2022-002/ Sun, 01 May 2022 00:00:00 +0000 /tps-2022-002/ Overview Now that MNX has acquired the Triton family of products, this security website has migrated to https://security.tritondatacenter.com. We are also now using a new issue key TPS instead of JSA. All existing JSA URLs will redirect to the new TPS. Actions You Need to Take There are no specific actions you need to take. Support If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support. /tps-2022-001/ Tue, 18 Jan 2022 00:00:00 +0000 /tps-2022-001/ Overview An unprivileged user, including users in a zone, with access to a tmpfs can induce a system panic resulting in the system rebooting. Actions taken by Joyent A new platform image is available in the release channel (20220118T183559Z), and updated SmartOS boot images are available in Manta. Actions You Need to Take Triton Operators This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image. /tps-2020-001/ Tue, 27 Oct 2020 00:00:00 +0000 /tps-2020-001/ Overview A critical vulnerability was found in the illumos Pluggable Authentication Module library due to insufficient bounds checking. This issue affects all illumos distributions using illumos PAM. Actions taken by Joyent The illumos community has fixed the issue, which has been merged into Joyent’s fork of illumos. Release platform images dated 20201022 or later are available that resolve this issue. Actions You Need to Take It is recommended for all users to reboot all Triton and SmartOS compute nodes to a platform image that contains the fix. /tps-2019-003/ Tue, 14 May 2019 00:00:00 +0000 /tps-2019-003/ Overview This advisory covers four different vulnerabilities, collectively termed Microarchitectural Data Sampling (MDS): Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091 These vulnerabilities impact customers running on the Triton Public Cloud and operators of Triton Enterprise software. Understanding the Vulnerabilities These vulnerabilities target different parts of the processor’s microarchitecture or implementation. /tps-2018-008/ Thu, 06 Dec 2018 00:00:00 +0000 /tps-2018-008/ Overview This vulnerability, CVE-2018-17160, was detected and remediated by the FreeBSD community, as detailed in their disclosure. The issue was caused by insufficient bounds checking for one of the emulated virtual devices. The vulnerability could be exploited to permit a guest operating system to overwrite memory in the bhyve(8) processing, making it possible to execute arbitrary code on the host. Actions Taken by Joyent The upstream fix in the FreeBSD bhyve project has been merged into SmartOS and made available for all Triton and SmartOS users in the latest platform image release, 20181206T011455Z. /tps-2018-007/ Thu, 16 Aug 2018 00:00:00 +0000 /tps-2018-007/ Overview This advisory covers a series of three different vulnerabilities surrounding Intel hardware, collectively called L1 Terminal Fault (L1TF): CVE-2018-3615 - Specific to Intel Software Guard Extensions (SGX) CVE-2018-3620 - Specific to Operating Systems and System Management Mode (SMM) CVE-2018-3646 - Specific to Virtual Machine Monitors (VMM) / Hypervisors Of these three CVEs, only the latter two apply to Triton public cloud and Triton Enterprise software customers. Joyent customers are not affected by the first CVE. /tps-2018-006/ Thu, 21 Jun 2018 00:00:00 +0000 /tps-2018-006/ Overview/Description Recently, the embargo has been broken on an Intel microprocessor issue that affects operating systems that lazily save floating point unit (FPU) register state: CVE-2018-3665. While SmartOS is affected by this issue, Intel included Joyent in the embargoed information, with adequate time for us to develop and validate a fix. Actions Taken by Joyent The fix has been made available for upstream inclusion and is in the process of being deployed to the Triton Cloud (public cloud). /tps-2018-004/ Thu, 15 Mar 2018 00:00:00 +0000 /tps-2018-004/ Overview This notice is to advise Joyent customers of the potential security vulnerabilities surrounding Intel hardware, known as Spectre and Meltdown: CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 Description Details surrounding Intel’s findings regarding Spectre and Meltdown can be reviewed here. Additional information can be reviewed here and here. Actions Taken by Joyent Joyent has created a new Platform Image (PI) containing KPTI (Kernel Page Table Isolation) and PCID (Process Context Identifier). We are in the process of applying this PI across the Triton Cloud (public cloud). /tps-2018-003/ Mon, 05 Mar 2018 00:00:00 +0000 /tps-2018-003/ Overview This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, and Open Source Triton users of a vulnerability reported by Zero Day Initiative (ZDI). Description The following security vulnerability has been identified by Ben Murphy with Zero Day Initiative: ZDI-CAN-5106. Through ZDI, we have previously been made aware of this vulnerability. Here is a brief description of the issue and its resolution: Issue: A malicious DTrace helper can lead to zone escape via out-of-bounds relocation. /tps-2018-001/ Wed, 24 Jan 2018 00:00:00 +0000 /tps-2018-001/ Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton on-premises software customers and Open Source Triton users of two security vulnerabilities. Description The following security vulnerabilities have been identified by Ben with Zero Day Initiative (ZDI): ZDI-CAN-4983 and ZDI-CAN-4984. Through ZDI, we have previously been made aware of these vulnerabilities. Here is a brief description of the issue and its resolution: Issue: A local process can generate a panic by issuing commands to the smb subsystem. /tps-2017-002/ Thu, 05 Jan 2017 02:37:19 +0000 /tps-2017-002/ Overview This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity “Dirty Cow” vulnerability first announced here (and on other sites) in November 2016. Description This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping. The only affected Joyent images are KVM images, so those have been updated accordingly. /tps-2017-001/ Thu, 05 Jan 2017 02:37:18 +0000 /tps-2017-001/ Overview This notice is to advise the user groups identified below of a recently-discovered, /proc filesystem permission vulnerability. The issue was reported directly to Joyent Engineering by a security researcher. Description This high-severity vulnerability exists in the core SmartOS platform. The exploit allows non-root users to create objects in the /proc directory within the zone. The validations for filesystem permissions have been hardened to prevent such unauthorized actions. The following user groups are affected Joyent customers using on-premises Triton software All users of SmartOS, including Triton public cloud customers (the fix has already been applied across the entire public cloud) Users of Open Source Triton Actions Taken by Joyent Joyent has created a new Platform Image (PI) containing fixes that address these vulnerabilities. /tps-2016-012/ Tue, 13 Dec 2016 00:00:00 +0000 /tps-2016-012/ Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton Enterprise software customers and Open Source Triton users of four SmartOS/file system vulnerabilities reported by Cisco Talos. Description On 13-December-2016, Cisco Talos reported three privilege escalation vulnerabilities that result from exploits on the ioctl() function. Based on our investigation, the exploits are actually not possible as either a regular user or as root from within a zone. /tps-2016-011/ Thu, 27 Oct 2016 00:00:00 +0000 /tps-2016-011/ Overview This notice is to advise the user groups identified below of recently-discovered, arbitrary kernel-mode code execution vulnerabilities. These issues were reported directly to Joyent Engineering by an individual user. Description These high-severity vulnerabilities exist in the core SmartOS platform, and have been present since (at least) OpenSolaris times. Attackers can potentially exploit certain system calls to obtain root privileges. Input validations for the system calls involved have been hardened to prevent such malicious attempts. /tps-2016-010/ Mon, 10 Oct 2016 00:00:00 +0000 /tps-2016-010/ How To Update Your Services SmartOS Users New releases of the Node.js and OpenSSL packages have been added to our pkgsrc repository (see below for specific details). The following latest package releases address the vulnerabilities outlined in this post’s “Original Notice” section: nodejs-6.7.0.tgz (2016Q3) nodejs-4.6.0.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.12.16.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.10.47.tgz (2014Q4, 2015Q4, 2016Q3) openssl-1.0.2j.tgz (2015Q4, 2016Q3) openssl-1.0.2i.tgz (2015Q4) openssl-1.0.1u.tgz (2014Q4) If you are running on an older SmartOS image that is using a deprecated pkgsrc repository, you may still try installing the correct fixed package by using the following command (NOTE: please test for any potential incompatibilities on a non-production machine prior to trying this): /tps-2016-009/ Sun, 15 May 2016 00:00:00 +0000 /tps-2016-009/ How To Update Your Services SmartOS Users New releases of the Node.js packages have been added to the 2016Q1 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-5.12.0.tgz nodejs-4.4.7.tgz nodejs-0.12.15.tgz nodejs-0.10.46.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine): /tps-2016-008/ Tue, 03 May 2016 00:00:00 +0000 /tps-2016-008/ How To Update Your Services Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users Update to the fixed release of the affected versions, as shown in the table below: CVE Version(s) Affected Fixed Release(s) Where Available CVE-2016-2108 OpenSSL 1.0.1, OpenSSL 1.0.2 OpenSSL 1.0.1o, OpenSSL 1.0.2c 2014Q2, 2014Q4 2015Q2 CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176 OpenSSL 1.0.1 OpenSSL 1.0.2 OpenSSL 1.0.1o OpenSSL 1.0.2h 2014Q4 2015Q4, 2016Q1 You can determine whether OpenSSL is installed (as well as the version you have installed) by running: /tps-2016-003/ Sun, 14 Feb 2016 00:00:00 +0000 /tps-2016-003/ Overview Please read this first Through HP’s Zero Day Initiative, we have previously been made aware of the three security issues described in this Overview: These vulnerabilities have already been fixed throughout the Joyent Public Cloud. On-premises Triton (SDC7) software customers can mitigate all of these issues by following the (previously-provided) instructions referenced in the Recommendations/Fixes section below. These three vulnerabilities will be announced on Tuesday, 16-February-2016 at Zero Day’s “Upcoming Advisories”. /tps-2016-002/ Thu, 14 Jan 2016 00:00:00 +0000 /tps-2016-002/ Overview Two new vulnerabilities in the OpenSSH SSH client (CVE-2016-0777 and CVE-2016-0778) allow a malicious or compromised SSH server to induce the client to leak arbitrary memory (including the client’s private keys), and, in some versions of the client, execute arbitrary code on the client system. The client checks the server’s host keys before reaching the point of vulnerability, so a man-in-the-middle attack is not a realistic vector (unless the server’s host keys have already been disclosed). /tps-2016-001/ Sun, 03 Jan 2016 00:00:00 +0000 /tps-2016-001/ SmartOS Users New releases of the node.js packages have been added to the 2014Q4 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-0.12.9.tgz nodejs-4.2.3.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command: pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-0.12.9.tgz pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-4.2.3.tgz You can visit the Node.js website for more information about these vulnerabilities, and the specific releases that have been identified as vulnerable. /tps-2015-007/ Fri, 04 Dec 2015 00:00:00 +0000 /tps-2015-007/ SmartOS Users As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL. CVE Version(s) Affected Fixed Release(s) Where Available (pkgsrc repo) CVE-2015-3193 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3 CVE-2015-3194 OpenSSL 1.0.2, 1.0.1 OpenSSL 1.0.2e, 1.0.1q 2015Q3, 2014Q4 CVE-2015-3195 OpenSSL 1.0.2, 1.0.1, 1.0.0, 0. /tps-2015-006/ Thu, 03 Dec 2015 00:00:00 +0000 /tps-2015-006/ Introduction This advisory describes the scope of the recently-announced, “high-severity” OpenSSL vulnerability classified as CVE-2015-1793. This vulnerability could allow “man-in-the-middle” attackers to impersonate HTTPS servers and snoop on encrypted traffic. Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take. This article is meant to be used in addition to our 18-June-2015 and 20-March-2015 advisories regarding previously-announced OpenSSL vulnerabilities. Upgrading your own OpenSSL version 1. /tps-2015-004/ Thu, 18 Jun 2015 00:00:00 +0000 /tps-2015-004/ Introduction This advisory describes the scope of the following recently-announced OpenSSL vulnerabilities, including Logjam: CVE-2015-4000 (Logjam) CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1792 CVE-2015-1791 CVE-2014-8176 Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take: We made this advisory public on 18-June-2015. This advisory is meant to be used in addition to our 20-March-2015 article regarding previously-announced OpenSSL vulnerabilities. Upgrading your own OpenSSL version 1.0.1 or 1. /tps-2015-003/ Wed, 13 May 2015 00:00:00 +0000 /tps-2015-003/ Joyent Engineers are aware of the Venom (CVE-2015-3456) security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Although the flaw exists in our KVM/QEMU in the Joyent software (SmartDataCenter and the Joyent Public Cloud), our architecture runs QEMU inside of an additional secure container with almost no privileges. /tps-2015-002/ Fri, 20 Mar 2015 00:00:00 +0000 /tps-2015-002/ The following sections describe the scope of several recently-announced Open SSL Vulnerabilities. We have included actions being taken by Joyent, and actions recommended for customers to take. CVEs specific to OpenSSL version 1.0.2 Joyent has never shipped any versions of OpenSSL version 1.0.2 to customers, either in pkgsrc or as part of SmartDataCenter (SDC). If we do ship 1.0.2 versions in the future, they will be those versions known to contain the recent security fixes. /tps-2014-004/ Wed, 24 Sep 2014 00:00:00 +0000 /tps-2014-004/ This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified bash security vulnerability CVE-2014-6271 (http://seclists.org/oss-sec/2014/q3/649) and the follow-on CVE-2014-7169 (https://access.redhat.com/security/cve/CVE-2014-7169), collectively known as Shellshock. Note that CVE-2014-7169 has arisen due to incomplete fixes created for the CVE-2014-6271 vulnerability. (These fixes are created by the upstream maintainers of bash, not by Joyent.) AT THIS TIME, JOYENT has patched the platform bash addressing CVE-2014-6271 as well as CVE-2014-7169 in the Joyent Public Cloud.