TPS-2022-002 MNX Migration

Overview Now that MNX has acquired the Triton family of products, this security website has migrated to We are also now using a new issue key TPS instead of JSA. All existing JSA URLs will redirect to the new TPS. Actions You Need to Take There are no specific actions you need to take. Support If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

TPS-2022-001 tmpfs induced panic

Overview An unprivileged user, including users in a zone, with access to a tmpfs can induce a system panic resulting in the system rebooting. Actions taken by Joyent A new platform image is available in the release channel (20220118T183559Z), and updated SmartOS boot images are available in Manta. Actions You Need to Take Triton Operators This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image.

TPS-2021-003 Triton and Manta not vulnerable to CVE-2021-44228, CVE-2021-4104 (log4j)

Overview As has been widely reported, log4j (a Java logging library) is vulnerable to remote code execution. See Triton and Manta use zookeeper for state management of Manatee, and for service component registration in the binder or nameservice component. While our version of zookeeper does include log4j, we use version 1.2.15 which is not vulnerable to CVE-2021-44228 according to the Apache advisory. Additionally, CVE-2021-4104 covers usage of log4j when using JMSAppender.

TPS-2021-002 http-signature

Overview This notice is to advise Joyent customers and open source users of Triton and Manta about a prototype pollution vulnerability in json-schema, a 3rd-party dependency of http-signature. Http-signature is the authentication component of CloudAPI and Manta. It is not known that http-signature is exploitable, but has been updated to preclude the possibility of exploitation. Triton cloudapi and Manta webapi have been updated with the current version of http-signature. Description Further details surrounding the vulnerability in json-schema can be found in the SNYK security advisory.

TPS-2021-001 CVE-2021-40346 - HA Proxy

Overview This notice is to advise Joyent customers and open source users of Triton and Manta about CVE-2021-40346, a potential security vulnerability where an attacker may bypass http-request HAProxy ACLs. Description Further details surrounding this vulnerability (including a list of applications/services that may be vulnerable) can be found in this alert from CVE. Actions taken by Joyent The fix has been made available for upstream inclusion and has been deployed into our production environment.

TPS-2017-005 Node.js DOS Vulnerability (CVE-2017-14919)

Overview This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, Node.js users and Open Source Triton users of a vulnerability reported by Node. Description Node has made Joyent aware of the following high-severity DOS vulnerability: CVE-2017-14919 The following Node.js versions are vulnerable to this issue, which can be used by an external attacker to cause a denial of service: Versions 4.8.2 and later Versions 6.

TPS-2017-004 Node Vulnerabilities "c-ares NAPTR parser..." (CVE-2017-1000381) & "Constant Hashable Seeds" (CVE-2017-11499)

Overview This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, Triton On-Premises Object Storage (Manta) operators and Open Source Triton users of two vulnerabilities reported by Node. Description Joyent has been made aware of the following Node vulnerabilities: “Constant Hashtable Seeds” (CVE-2017-11499) - high severity “- c-ares NAPTR parser out of bounds access” (CVE-2017-1000381) - low severity Of the two, only the high-severity “Constant Hashable Seeds” vulnerability has been determined to have any potential effect on Joyent’s infrastructure/services.

TPS-2017-003 ZDI-CAN-3853 (Docker File Overwrite) Vulnerability

Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton on-premises software customers and Open Source Triton users of a high-severity arbitrary Docker file overwrite vulnerability that could be introduced using Docker file copy and Docker build. Description The following security vulnerability has been identified by Ben with Zero Day Initiative (ZDI): ZDI-CAN-3853 Through ZDI, we have previously been made aware of this issue. Here is a brief description of the issue and the resolution:

TPS-2017-002 High-Severity "Dirty Cow" Vulnerability (CVE-2016-5195)

Overview This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity “Dirty Cow” vulnerability first announced here (and on other sites) in November 2016. Description This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping. The only affected Joyent images are KVM images, so those have been updated accordingly.

TPS-2017-001 /proc Filesystem Permission Vulnerability

Overview This notice is to advise the user groups identified below of a recently-discovered, /proc filesystem permission vulnerability. The issue was reported directly to Joyent Engineering by a security researcher. Description This high-severity vulnerability exists in the core SmartOS platform. The exploit allows non-root users to create objects in the /proc directory within the zone. The validations for filesystem permissions have been hardened to prevent such unauthorized actions. The following user groups are affected Joyent customers using on-premises Triton software All users of SmartOS, including Triton public cloud customers (the fix has already been applied across the entire public cloud) Users of Open Source Triton Actions Taken by Joyent Joyent has created a new Platform Image (PI) containing fixes that address these vulnerabilities.