Overview Per today’s email to SmartOS and Triton discussion lists, we are are taking down image 60f76fd2-143f-4f57-819b-1ae32684e81b from our image repository today. That image has pre-generated SSH host keys. Unless an LX zone had regenerated these keys, they are shared across all LX zones running that image.
Actions Taken by Us Prior to the aforementioned discovery, we had updated the Debian 12 LX image to 28f872d5-8227-4f7d-b8f6-30bd5db1f1ac (dated 2025-01-20). We have removed image 60f76fd2-143f-4f57-819b-1ae32684e81b (dated 2024-07-06) completely.
Overview Now that MNX has acquired the Triton family of products, this security website has migrated to https://security.tritondatacenter.com. We are also now using a new issue key TPS instead of JSA. All existing JSA URLs will redirect to the new TPS.
Actions You Need to Take There are no specific actions you need to take.
Support If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.
Overview An unprivileged user, including users in a zone, with access to a tmpfs can induce a system panic resulting in the system rebooting.
Actions taken by Joyent A new platform image is available in the release channel (20220118T183559Z), and updated SmartOS boot images are available in Manta.
Actions You Need to Take Triton Operators This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image.
Overview As has been widely reported, log4j (a Java logging library) is vulnerable to remote code execution. See https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228.
Triton and Manta use zookeeper for state management of Manatee, and for service component registration in the binder or nameservice component. While our version of zookeeper does include log4j, we use version 1.2.15 which is not vulnerable to CVE-2021-44228 according to the Apache advisory. Additionally, CVE-2021-4104 covers usage of log4j when using JMSAppender.
Overview This notice is to advise Joyent customers and open source users of Triton and Manta about a prototype pollution vulnerability in json-schema, a 3rd-party dependency of http-signature. Http-signature is the authentication component of CloudAPI and Manta.
It is not known that http-signature is exploitable, but has been updated to preclude the possibility of exploitation. Triton cloudapi and Manta webapi have been updated with the current version of http-signature.
Description Further details surrounding the vulnerability in json-schema can be found in the SNYK security advisory.
Overview This notice is to advise Joyent customers and open source users of Triton and Manta about CVE-2021-40346, a potential security vulnerability where an attacker may bypass http-request HAProxy ACLs.
Description Further details surrounding this vulnerability (including a list of applications/services that may be vulnerable) can be found in this alert from CVE.
Actions taken by Joyent The fix has been made available for upstream inclusion and has been deployed into our production environment.
Overview This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, Node.js users and Open Source Triton users of a vulnerability reported by Node.
Description Node has made Joyent aware of the following high-severity DOS vulnerability: CVE-2017-14919
The following Node.js versions are vulnerable to this issue, which can be used by an external attacker to cause a denial of service:
Versions 4.8.2 and later Versions 6.10.2 and later All versions of 8.
Overview This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, Triton On-Premises Object Storage (Manta) operators and Open Source Triton users of two vulnerabilities reported by Node.
Description Joyent has been made aware of the following Node vulnerabilities:
“Constant Hashtable Seeds” (CVE-2017-11499) - high severity “- c-ares NAPTR parser out of bounds access” (CVE-2017-1000381) - low severity Of the two, only the high-severity “Constant Hashable Seeds” vulnerability has been determined to have any potential effect on Joyent’s infrastructure/services.
Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton on-premises software customers and Open Source Triton users of a high-severity arbitrary Docker file overwrite vulnerability that could be introduced using Docker file copy and Docker build.
Description The following security vulnerability has been identified by Ben with Zero Day Initiative (ZDI): ZDI-CAN-3853
Through ZDI, we have previously been made aware of this issue. Here is a brief description of the issue and the resolution:
Overview This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity “Dirty Cow” vulnerability first announced here (and on other sites) in November 2016.
Description This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping.
The only affected Joyent images are KVM images, so those have been updated accordingly.
