TPS-2016-008 OpenSSL CVE-2016-2108, CVE-2016-2107, Other Vulnerabilities
How To Update Your Services
Triton Cloud (public cloud) users and Triton Enterprise (on-premises, private cloud) software users
Update to the fixed release of the affected versions, as shown in the table below:
| CVE | Version(s) Affected | Fixed Release(s) | Where Available |
|---|---|---|---|
| CVE-2016-2108 | OpenSSL 1.0.1, OpenSSL 1.0.2 | OpenSSL 1.0.1o, OpenSSL 1.0.2c | 2014Q2, 2014Q4 2015Q2 |
| CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, and CVE-2016-2176 | OpenSSL 1.0.1 OpenSSL 1.0.2 | OpenSSL 1.0.1o OpenSSL 1.0.2h | 2014Q4 2015Q4, 2016Q1 |
You can determine whether OpenSSL is installed (as well as the version you have installed) by running:
pkgin ls | grep -i openssl
Customers can re-install OpenSSL with the following commands:
pkgin -y up && pkgin -y in openssl
Or, install the version needed (if only available in a different repository), by running:
pkg_add pkgsrc_path_to_package
For example, if you need to install OpenSSL version 1.0.2h from the 2016Q1 repository, but you are running on an image that is using a different repository, you can install the 1.0.2h version by running the following (with the caveat that we strongly suggest you first try this on a non-production machine, to ensure you do not run into any dependency issues):
pkg_add -U http://pkgsrc.joyent.com/packages/SmartOS/2016Q1/x86_64/All/openssl-1.0.2h.tgz
Note: If your current version is 1.0.1 then you can only upgrade to 1.0.1t from the 2014Q4 repository as follows. You cannot upgrade to 1.0.2h
pkg_add -U http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/openssl-1.0.1t.tgz
Triton Enterprise (formerly SDC 7) software users
The following Triton components have been fixed and are now available from the support channel:
- sdcadm (upgrade to most recently published 1.11.1 version)
- adminui (upgrade to release-20160512-20160512T165733Z-g63d9d37)
- docker (upgrade to release-20160512-20160512T164735Z-gabdb1f1)
- imgapi (upgrade to release-20160512-20160512T164432Z-g318b58e)
- gz-tools (upgrade to most recently published 3.0.0 version)
- Users should also update their boot platform to
release-20160428-20160504T174400Z, or newer
For further details on applying updates, you can reference the Triton maintenance and upgrades web page. Should you require any further assistance with your updates to the components above, please contact our Support team by raising a request at the Customer Support portal or emailing support@joyent.com.
Manta, CloudAPI and Portal
Please be assured that any Joyent components identified as being affected will be updated.
Linux Users
Please check the notices applicable to the Linux distro that you are using:
- Debian: CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109 and CVE-2016-2176
- Centos/Red Hat/Fedora: CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109 and CVE-2016-2176
- Ubuntu: CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109 and CVE-2016-2176
Node.js users
As described in the 6-May-2016 Node.js update found here, the following releases have been made available to include the OpenSSL security updates:
- Node v6.1.0 (Current)
- Node v5.11.1
- Node v4.4.4 (LTS)
- Node v0.12.14 (Maintenance)
- Node v0.10.45 (Maintenance)
Please upgrade your Node.js installation as soon as possible.
Open source Triton users
Update boot platform image to: release-20160428-20160504T174400Z
Update adminui, docker, and imgapi to the 20150512* releases.
Direct any further questions to: The SmartOS Community Mailing Lists and IRC
Original Notice
This notice is to provide preliminary advice to all Triton Cloud (public cloud) customers and all Triton Enterprise (formerly SDC 7) software customers of the recently-identified, high-severity OpenSSL security vulnerabilities CVE-2016-2108 and CVE-2016-2107, as well as four low-severity CVEs. Further information regarding these vulnerabilities is available here.
As soon as we can, we will update this notice to confirm the actions taken by Joyent, and to provide specific details of any required actions – such as pkgsrc and software updates – that will need to be taken by both Triton Cloud and Triton Enterprise software customers.
Node users are advised to watch for updates here; any new Node.js releases impacting software will be included in the above-mentioned Joyent pkgsrc and software updates.
Please do not hesitate to contact our Support team (by raising a ticket at the Customer Support portal or by email to support@joyent.com) if any questions or concerns come up.