TPS-2016-011 Arbitrary Kernel-Mode Code Execution Vulnerabilities

Overview

This notice is to advise the user groups identified below of recently-discovered, arbitrary kernel-mode code execution vulnerabilities. These issues were reported directly to Joyent Engineering by an individual user.

Description

These high-severity vulnerabilities exist in the core SmartOS platform, and have been present since (at least) OpenSolaris times.

Attackers can potentially exploit certain system calls to obtain root privileges. Input validations for the system calls involved have been hardened to prevent such malicious attempts.

The following user groups are affected:

  • Joyent customers using on-premises Triton software
  • All users of SmartOS, including Triton public cloud customers (the fix has already been applied across the entire public cloud)
  • Users of Open Source Triton

Actions Taken by Joyent

Joyent has created a new Platform Image (PI) containing fixes that address these vulnerabilities. This PI has been applied across the Triton Cloud (public cloud).

Actions You Need to Take

Triton Software and SmartOS Users

You are advised to apply this fix by updating your current Platform Image (PI) to the next available release (20161013-20161027T223237Z or later) using the following command on the support channel:

sdcadm platform install --latest

Triton Public Cloud Users

All necessary fixes have been applied to the Triton public cloud. No user action is required.

Open Source Triton Users

Support

If you are a Joyent customer and have any further questions or concerns after reading the information and instructions above, please contact Joyent Support.