/tags/triton/ Recent content in triton on Triton Product Security Hugo -- gohugo.io en-us Thu, 13 Mar 2025 14:37:00 -0400 /tps-2025-002/ Thu, 13 Mar 2025 14:37:00 -0400 /tps-2025-002/ Overview Per today’s email to SmartOS and Triton discussion lists, we are are taking down image 60f76fd2-143f-4f57-819b-1ae32684e81b from our image repository today. That image has pre-generated SSH host keys. Unless an LX zone had regenerated these keys, they are shared across all LX zones running that image. Actions Taken by Us Prior to the aforementioned discovery, we had updated the Debian 12 LX image to 28f872d5-8227-4f7d-b8f6-30bd5db1f1ac (dated 2025-01-20). We have removed image 60f76fd2-143f-4f57-819b-1ae32684e81b (dated 2024-07-06) completely. /tps-2022-002/ Sun, 01 May 2022 00:00:00 +0000 /tps-2022-002/ Overview Now that MNX has acquired the Triton family of products, this security website has migrated to https://security.tritondatacenter.com. We are also now using a new issue key TPS instead of JSA. All existing JSA URLs will redirect to the new TPS. Actions You Need to Take There are no specific actions you need to take. Support If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support. /tps-2022-001/ Tue, 18 Jan 2022 00:00:00 +0000 /tps-2022-001/ Overview An unprivileged user, including users in a zone, with access to a tmpfs can induce a system panic resulting in the system rebooting. Actions taken by Joyent A new platform image is available in the release channel (20220118T183559Z), and updated SmartOS boot images are available in Manta. Actions You Need to Take Triton Operators This platform should be installed and assigned to all SmartOS compute nodes. You can use the following commands to prepare the new platform image. /tps-2021-003/ Wed, 15 Dec 2021 00:00:00 +0000 /tps-2021-003/ Overview As has been widely reported, log4j (a Java logging library) is vulnerable to remote code execution. See https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228. Triton and Manta use zookeeper for state management of Manatee, and for service component registration in the binder or nameservice component. While our version of zookeeper does include log4j, we use version 1.2.15 which is not vulnerable to CVE-2021-44228 according to the Apache advisory. Additionally, CVE-2021-4104 covers usage of log4j when using JMSAppender. /tps-2021-002/ Thu, 18 Nov 2021 00:00:00 +0000 /tps-2021-002/ Overview This notice is to advise Joyent customers and open source users of Triton and Manta about a prototype pollution vulnerability in json-schema, a 3rd-party dependency of http-signature. Http-signature is the authentication component of CloudAPI and Manta. It is not known that http-signature is exploitable, but has been updated to preclude the possibility of exploitation. Triton cloudapi and Manta webapi have been updated with the current version of http-signature. Description Further details surrounding the vulnerability in json-schema can be found in the SNYK security advisory. /tps-2021-001/ Mon, 13 Sep 2021 00:00:00 +0000 /tps-2021-001/ Overview This notice is to advise Joyent customers and open source users of Triton and Manta about CVE-2021-40346, a potential security vulnerability where an attacker may bypass http-request HAProxy ACLs. Description Further details surrounding this vulnerability (including a list of applications/services that may be vulnerable) can be found in this alert from CVE. Actions taken by Joyent The fix has been made available for upstream inclusion and has been deployed into our production environment. /tps-2017-005/ Thu, 26 Oct 2017 00:00:00 +0000 /tps-2017-005/ Overview This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, Node.js users and Open Source Triton users of a vulnerability reported by Node. Description Node has made Joyent aware of the following high-severity DOS vulnerability: CVE-2017-14919 The following Node.js versions are vulnerable to this issue, which can be used by an external attacker to cause a denial of service: Versions 4.8.2 and later Versions 6.10.2 and later All versions of 8. /tps-2017-004/ Tue, 25 Jul 2017 00:00:00 +0000 /tps-2017-004/ Overview This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, Triton On-Premises Object Storage (Manta) operators and Open Source Triton users of two vulnerabilities reported by Node. Description Joyent has been made aware of the following Node vulnerabilities: “Constant Hashtable Seeds” (CVE-2017-11499) - high severity “- c-ares NAPTR parser out of bounds access” (CVE-2017-1000381) - low severity Of the two, only the high-severity “Constant Hashable Seeds” vulnerability has been determined to have any potential effect on Joyent’s infrastructure/services. /tps-2017-003/ Fri, 30 Jun 2017 00:00:00 +0000 /tps-2017-003/ Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton on-premises software customers and Open Source Triton users of a high-severity arbitrary Docker file overwrite vulnerability that could be introduced using Docker file copy and Docker build. Description The following security vulnerability has been identified by Ben with Zero Day Initiative (ZDI): ZDI-CAN-3853 Through ZDI, we have previously been made aware of this issue. Here is a brief description of the issue and the resolution: /tps-2017-002/ Thu, 05 Jan 2017 02:37:19 +0000 /tps-2017-002/ Overview This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity “Dirty Cow” vulnerability first announced here (and on other sites) in November 2016. Description This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping. The only affected Joyent images are KVM images, so those have been updated accordingly. /tps-2017-001/ Thu, 05 Jan 2017 02:37:18 +0000 /tps-2017-001/ Overview This notice is to advise the user groups identified below of a recently-discovered, /proc filesystem permission vulnerability. The issue was reported directly to Joyent Engineering by a security researcher. Description This high-severity vulnerability exists in the core SmartOS platform. The exploit allows non-root users to create objects in the /proc directory within the zone. The validations for filesystem permissions have been hardened to prevent such unauthorized actions. The following user groups are affected Joyent customers using on-premises Triton software All users of SmartOS, including Triton public cloud customers (the fix has already been applied across the entire public cloud) Users of Open Source Triton Actions Taken by Joyent Joyent has created a new Platform Image (PI) containing fixes that address these vulnerabilities. /tps-2016-012/ Tue, 13 Dec 2016 00:00:00 +0000 /tps-2016-012/ Overview This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton Enterprise software customers and Open Source Triton users of four SmartOS/file system vulnerabilities reported by Cisco Talos. Description On 13-December-2016, Cisco Talos reported three privilege escalation vulnerabilities that result from exploits on the ioctl() function. Based on our investigation, the exploits are actually not possible as either a regular user or as root from within a zone. /tps-2016-011/ Thu, 27 Oct 2016 00:00:00 +0000 /tps-2016-011/ Overview This notice is to advise the user groups identified below of recently-discovered, arbitrary kernel-mode code execution vulnerabilities. These issues were reported directly to Joyent Engineering by an individual user. Description These high-severity vulnerabilities exist in the core SmartOS platform, and have been present since (at least) OpenSolaris times. Attackers can potentially exploit certain system calls to obtain root privileges. Input validations for the system calls involved have been hardened to prevent such malicious attempts. /tps-2016-010/ Mon, 10 Oct 2016 00:00:00 +0000 /tps-2016-010/ How To Update Your Services SmartOS Users New releases of the Node.js and OpenSSL packages have been added to our pkgsrc repository (see below for specific details). The following latest package releases address the vulnerabilities outlined in this post’s “Original Notice” section: nodejs-6.7.0.tgz (2016Q3) nodejs-4.6.0.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.12.16.tgz (2014Q4, 2015Q4, 2016Q3) nodejs-0.10.47.tgz (2014Q4, 2015Q4, 2016Q3) openssl-1.0.2j.tgz (2015Q4, 2016Q3) openssl-1.0.2i.tgz (2015Q4) openssl-1.0.1u.tgz (2014Q4) If you are running on an older SmartOS image that is using a deprecated pkgsrc repository, you may still try installing the correct fixed package by using the following command (NOTE: please test for any potential incompatibilities on a non-production machine prior to trying this): /tps-2016-009/ Sun, 15 May 2016 00:00:00 +0000 /tps-2016-009/ How To Update Your Services SmartOS Users New releases of the Node.js packages have been added to the 2016Q1 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice: nodejs-5.12.0.tgz nodejs-4.4.7.tgz nodejs-0.12.15.tgz nodejs-0.10.46.tgz If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine): /tps-2016-008/ Tue, 03 May 2016 00:00:00 +0000 /tps-2016-008/ How To Update Your Services Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users Update to the fixed release of the affected versions, as shown in the table below: CVE Version(s) Affected Fixed Release(s) Where Available CVE-2016-2108 OpenSSL 1.0.1, OpenSSL 1.0.2 OpenSSL 1.0.1o, OpenSSL 1.0.2c 2014Q2, 2014Q4 2015Q2 CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176 OpenSSL 1.0.1 OpenSSL 1.0.2 OpenSSL 1.0.1o OpenSSL 1.0.2h 2014Q4 2015Q4, 2016Q1 You can determine whether OpenSSL is installed (as well as the version you have installed) by running: /tps-2016-007/ Sun, 01 May 2016 00:00:00 +0000 /tps-2016-007/ Overview Introduction This notice is to ensure that all Triton Cloud customers, all on-premises operators of Triton Enterprise (formerly SmartDataCenter or SDC) and all open source Triton users are aware of vulnerabilities reported to us by research contributors at Trend Micro’s Zero Day Initiative, and some discovered by our own Engineering team: All necessary fixes have been applied to Triton Cloud (formerly Joyent Public Cloud or JPC). No action is required by Triton Cloud customers. /tps-2016-003/ Sun, 14 Feb 2016 00:00:00 +0000 /tps-2016-003/ Overview Please read this first Through HP’s Zero Day Initiative, we have previously been made aware of the three security issues described in this Overview: These vulnerabilities have already been fixed throughout the Joyent Public Cloud. On-premises Triton (SDC7) software customers can mitigate all of these issues by following the (previously-provided) instructions referenced in the Recommendations/Fixes section below. These three vulnerabilities will be announced on Tuesday, 16-February-2016 at Zero Day’s “Upcoming Advisories”.