TPS-2018-001 ZDI-CAN-4983 and ZDI-CAN-4984

January 24, 2018

Overview

This notice is to advise Joyent’s Triton Cloud (public cloud) customers, Triton on-premises software customers and Open Source Triton users of two security vulnerabilities.

Description

The following security vulnerabilities have been identified by Ben with Zero Day Initiative (ZDI): ZDI-CAN-4983 and ZDI-CAN-4984. Through ZDI, we have previously been made aware of these vulnerabilities. Here is a brief description of the issue and its resolution:

Issue: A local process can generate a panic by issuing commands to the smb subsystem.
Resolution: This issue was addressed with better handling on the smb driver.

Please proceed based on the following advice:

These vulnerabilities have already been fixed throughout the Triton Cloud (public cloud). No further action is required of public cloud users.
On-premises Triton (SDC7) software customers can mitigate all of these issues by following the instructions referenced in the Actions You Need to Take section below.
Open Source Triton users can also mitigate all of these issues by following the instructions referenced in the Actions You Need to Take section below.
An upcoming announcement regarding this vulnerability will be published at Zero Day’s “Upcoming Advisories”.

Actions Taken by Joyent

As noted above, the fix for these vulnerabilities has already been applied across the entire Triton Cloud (public cloud). No further action is required of public cloud users.

Actions You Need to Take

Triton On-Premises Software Users

You are advised to apply this fix by updating your current Platform Image (PI) to the next available release (release-20170831-20170831T155809Z or later), using the following command on the support channel:

sdcadm platform install --latest

Open Source Triton Users

Upgrade servers to Platform Image (PI) release-20170831-20170831T155809Z or later
Direct any further questions to: The SmartOS Community Mailing Lists and IRC

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

As noted above, if you are an Open Source Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.