Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

OpenVZ Security Update
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OpenVZ Security Update

tragictragic Member
in General

Just got this email, update your kernel.

OpenVZ
Security Update Issued
An update for OpenVZ was just released to address a serious security vulnerability when using SimFS and it is recommended that you update as soon as possible.

Link:

https://openvz.org/Download/kernel/rhel6/042stab090.5

«13

Comments

  • dedicadosdedicados Member
    edited June 2014

    updated:

    SimFS (VZ / OpenVZ)
    Urgent Action Required
    Looks like there is already a public exploit for the SimFS (VZ / OpenVZ) vulnerabilities that were disclosed today. The exploit will allow a malicious user to obtain any file from another container, making this a very serious vulnerability. Update should be applied as soon as possible.

    Ongoing Discussion(s) via WHT:

    http://www.webhostingtalk.com/showthread.php?t=1387714
    http://www.webhostingtalk.com/showthread.php?t=1387707

    Relevant Links / Updates:

    https://openvz.org/Download/kernel/rhel6/042stab090.5
    http://kb.parallels.com/en/122142

    im posting here, if someone dont receive this email.

  • zionvpszionvps Member

    oh boy, we got more exploits and dumps coming

  • ndelaespadandelaespada Member, Host Rep

    that really is tragic

  • tragictragic Member

    @ndelaespada said:
    that really is tragic

    If I had a dollar for every time I've heard that pun, lol.

    Thanked by 2black Mark_R
  • dedicadosdedicados Member

    SimFS (VZ / OpenVZ)
    Urgent Action Required
    Looks like there is already a public exploit for the SimFS (VZ / OpenVZ) vulnerabilities that were disclosed today. The exploit will allow a malicious user to obtain any file from another container, making this a very serious vulnerability. Update should be applied as soon as possible.

    Ongoing Discussion(s) via WHT:

    http://www.webhostingtalk.com/showthread.php?t=1387714
    http://www.webhostingtalk.com/showthread.php?t=1387707

    Relevant Links / Updates:

    https://openvz.org/Download/kernel/rhel6/042stab090.5
    http://kb.parallels.com/en/122142

  • PwnerPwner Member

    Someone already posted before you got here:
    http://lowendtalk.com/discussion/29877/openvz-security-update#latest

    @Spirit @mpkossen @Nekki

    Can one of you please merge the threads? I think it will help with preventing repeat posts on two similar threads.

  • linuxthefishlinuxthefish Member

    Does it effect hosts using ploop for containers?

  • blackblack Member
    edited June 2014

    So everyone should be on 090.5, as every other ovz kernel version is exploitable, right?

    Thanked by 1linuxthefish
  • johnjohn Member
    edited June 2014

    black said: So everyone should be on 090.5, as every other ovz kernel version is exploitable, right?

    Unless they run vzfs or ploop, which are not affected.

    Thanked by 1linuxthefish
  • eric1212eric1212 Member

    linuxthefish said: Does it effect hosts using ploop for containers?

    No, not really.. but you can still update eh?

  • OliverOliver Member, Host Rep
    edited June 2014

    I rebooted one node and it came back up OK. I rebooted two others and the containers have restarted fine but SSHD isn't running anymore on the nodes. :-(

  • MagiobiwanMagiobiwan Member

    @Oliver said:
    I rebooted one node and it came back up OK. I rebooted two others and the containers have restarted fine but SSHD isn't running anymore on the nodes. :-(

    And this is what Out-Of-Band Management/Console Access is for!

  • OliverOliver Member, Host Rep

    Yeah, but of course when you need it you find that the iLO has crashed which appears to be the case here. :p

  • geekalotgeekalot Member

    You know things are serious when Prometeus does an emergency reboot!


    I probably had at least 200+ days uptime on an almost forgotten VPS ("forgotten" since it gives zero problems and just works).


    Cheers

    Thanked by 4netomx marrco fisle Maounique
  • MagiobiwanMagiobiwan Member

    I, for one, am getting tired of all these critical vulnerabilities that are being reported. Updating ~100 nodes (even with a script to do it) gets boring fast. KernelCare is starting to look mighty good to me right now.

    Thanked by 1AnthonySmith
  • tr1ckytr1cky Member

    How do I update my proxmox stuff?

  • johnjohn Member
    edited June 2014

    Magiobiwan said: KernelCare

    They have not released a patch yet. Considering how serious this vulnerability is, it's not wise to wait for KernelCare/KSplice/etc.

  • soulchiefsoulchief Member

    @Magiobiwan said:
    I, for one, am getting tired of all these critical vulnerabilities that are being reported. Updating ~100 nodes (even with a script to do it) gets boring fast. KernelCare is starting to look mighty good to me right now.

    Wouldn't you prefer critical vulnerabilities to be reported, rather then sold to hackers?

  • support123support123 Member

    just replied

    "The update should be ready within 3-6 hours (patches are done compiling, testing has started). If testing fails -- it might take another 12 hours for us to finish.

    Regards,
    Igor Seletskiy
    CEO @ Cloud Linux Inc

    "

  • rskrsk Member, Patron Provider

    Magiobiwan said: KernelCare is starting to look mighty good to me right now.

    That would be a good solution if they actually do release patches quickly. Otherwise, your servers are like sitting ducks waiting to be "hacked" :-)

  • MagiobiwanMagiobiwan Member

    @soulchief said:
    Wouldn't you prefer critical vulnerabilities to be reported, rather then sold to hackers?

    In a perfect world, there wouldn't be any vulnerabilities. But yes, it is better that they're reported and fixed rather than being in the wild, unpatched. As it is, I'm currently working out a few minor bugs with the update on several nodes. THIS is why you test things SMALL first, rather than deploying the patches to EVERYTHING at once.

  • rskrsk Member, Patron Provider

    Oliver said: I rebooted one node and it came back up OK. I rebooted two others and the containers have restarted fine but SSHD isn't running anymore on the nodes. :-(

    I've put a line in /etc/rc.local to restart sshd just in case ...

  • AnthonySmithAnthonySmith Member, Patron Provider

    @Magiobiwan said:
    In a perfect world, there wouldn't be any vulnerabilities. But yes, it is better that they're reported and fixed rather than being in the wild, unpatched. As it is, I'm currently working out a few minor bugs with the update on several nodes. THIS is why you test things SMALL first, rather than deploying the patches to EVERYTHING at once.

    Yeah this is causing some real issues, one of my nodes is in a panic loop and it is not like I can revert to the older kernel.... SIGH!!!!

  • PatrickPatrick Member
    edited June 2014

    Well this ruined my day :(

  • AnthonySmithAnthonySmith Member, Patron Provider

    by day too

  • PatrickPatrick Member

    @AnthonySmith said:
    by day too

    my*!

  • OliverOliver Member, Host Rep

    Ruined mine also...

  • Nick_ANick_A Member, Top Host, Host Rep

    Yeah I was big on kernelcare until today. 3-6 hours (after the 2 hours we waited in between initial contact) with a known exploit in the wild renders kcare useless.

  • blackblack Member

    @Nick_A said:
    Yeah I was big on kernelcare until today. 3-6 hours (after the 2 hours we waited in between initial contact) with a known exploit in the wild renders kcare useless.

    Pretty much. As much as I like to see >100 days of uptime on my server, it's not worth getting my files stolen.

  • perennateperennate Member, Host Rep

    Damn, I should really configure init.d scripts x.x

    Thanked by 1darkshire
Sign In or Register to comment.