TPS-2016-011 Arbitrary Kernel-Mode Code Execution Vulnerabilities
This notice is to advise the user groups identified below of recently-discovered, arbitrary kernel-mode code execution vulnerabilities. These issues were reported directly to Joyent Engineering by an individual user.
These high-severity vulnerabilities exist in the core SmartOS platform, and have been present since (at least) OpenSolaris times.
Attackers can potentially exploit certain system calls to obtain root privileges. Input validations for the system calls involved have been hardened to prevent such malicious attempts.
The following user groups are affected:
- Joyent customers using on-premises Triton software
- All users of SmartOS, including Triton public cloud customers (the fix has already been applied across the entire public cloud)
- Users of Open Source Triton
Actions Taken by Joyent
Joyent has created a new Platform Image (PI) containing fixes that address these vulnerabilities. This PI has been applied across the Triton Cloud (public cloud).
Actions You Need to Take
Triton Software and SmartOS Users
You are advised to apply this fix by updating your current Platform Image (PI)
to the next available release (
20161013-20161027T223237Z or later) using the
following command on the support channel:
sdcadm platform install --latest
Triton Public Cloud Users
All necessary fixes have been applied to the Triton public cloud. No user action is required.
Open Source Triton Users
- Upgrade to this Triton Platform Image (PI) release:
- Direct any further questions to: The SmartOS Community Mailing Lists and IRC
If you are a Joyent customer and have any further questions or concerns after reading the information and instructions above, please contact Joyent Support.