TPS-2017-002 High-Severity "Dirty Cow" Vulnerability (CVE-2016-5195)

January 05, 2017

Overview

This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity “Dirty Cow” vulnerability first announced here (and on other sites) in November 2016.

Description

This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping.

The only affected Joyent images are KVM images, so those have been updated accordingly. As before, please be assured that Joyent’s HTTPS endpoints for Manta, CloudAPI and the customer portal are not vulnerable.

The following user groups are affected (and can mitigate this vulnerability by following instructions further below):

Joyent customers using on-premises Triton software
All users of KVM (CentOS, Debian and Ubuntu) images, including Triton public cloud customers
Users of Open Source Triton

Actions Taken by Joyent

Joyent created a new Platform Image (PI) containing fixes that addressed these vulnerabilities. This PI has been applied across the Triton Cloud (public cloud), and is available to Triton Enterprise software users.

Joyent also made upgraded images (containing the fix) available, as described below.

Actions You Need to Take

Triton Software Users

You are advised to apply this fix (and other timely fixes) by updating your current Platform Image (PI) to the next available release (20170105-20170105T023718Z or later) using the following command on the support channel:

sdcadm platform install --latest

Triton Public Cloud Users

As noted above, the fix has already been applied across the entire public cloud.

Further CentOS instructions are available via RedHat, and the CentOS 7: 20161028 image is available for upgrade.

Further Ubuntu instructions are available here, and you can learn more about Ubuntu Certified Images available for upgrade here. Debian and Ubuntu users can upgrade images with the following commands:

sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot

Open Source Triton Users

Upgrade to this Triton Platform Image (PI) release: 20170105-20170105T023718Z or later
Direct any further questions to: The SmartOS Community Mailing Lists and IRC

Support

If you are a Joyent customer and have any further questions or concerns after reading the information and instructions above, please contact Joyent Support.