PDA

View Full Version : New domU kernels available that fixes a Linux kernel security vulnerability

Jsmart
08-27-2009, 05:29 PM
Hi,

Updated domU kernels are now available that resolve a Linux security vulnerability which allows a non-root user to gain administrator (root) access. This vulnerability is in the Linux kernel itself and was first reported on 8/14/2009. For more details regarding this vulnerability please see the following link:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2692

Note that this security issue affects only appliances which allow non-root access (VDS AppLogic applications for example).

Below are the updated kernels for AppLogic 2.1, 2.4 and 2.7 (32-bit and 64-bit). For the kernel binaries below, both rpms and tars are provided. The tars are for AppLogic 2.4/2.7 and are provided for OSes that do not support rpms (untar in the appliance itself under "/"). For the rpms, they are installed in the the appliance using the -U option ("rpm -U xen-ukrnl-3.2.2-15.i386.rpm" for example; be sure to install both the kernel and the modules). If upgrading the kernel on a running appliance, the appliance must be restarted for the changes to take effect. The kernel sources are also provided in case they are needed.

AppLogic 2.1.1
domU kernel: http://download2.3tera.net/GridU/xen-ukrnl-3.0.4-16.i386.rpm
domU modules: http://download2.3tera.net/GridU/xen-umods-3.0.4-16.i386.rpm
Kernel sources: http://download2.3tera.net/GridU/xen-3.0.4-16.tar.bz2
(64-bit is not supported for AppLogic 2.1.1)

AppLogic 2.4/2.7 -32-bit appliances
domU kernel: http://download2.3tera.net/GridU/xen-ukrnl-3.2.2-15.i386.rpm
domU modules: http://download2.3tera.net/GridU/xen-umods-3.2.2-15.i386.rpm
domU kernel/modules for OSes that do not support rpms: http://download2.3tera.net/GridU/domu-2.6.18.8.i386.tar.gz

AppLogic 2.4/2.7 -64-bit appliances
domU kernel: http://download2.3tera.net/GridU/xen-ukrnl-3.2.2-15.x86_64.rpm
domU modules: http://download2.3tera.net/GridU/xen-umods-3.2.2-15.x86_64.rpm
domU kernel/modules for OSes that do not support rpms: http://download2.3tera.net/GridU/domu-2.6.18.8.x86_64.tar.gz

AppLogic 2.4/2.7 kernel sources: http://download2.3tera.net/GridU/xen-3.2.2-15.tar.bz2

If you have any questions, please contact your provider or 3Tera helpdesk.

Regards,

3tera Support Team
EricT
08-28-2009, 11:06 AM
Hello,

Note that this issue does not affect the physical servers of the grid. This issue only affects AppLogic appliances that allow non-root user login (for the standard AppLogic release, only the GSC/VPS/VDS applications allow non-root user login and only the singletons in these applications need to be updated with the new domU kernel/modules).

If your grid has custom appliances which allow non-root user login, 3Tera recommends to upgrade the kernel/modules in these appliances as described in the original post.

For the standard AppLogic release, the catalogs are not required to be updated -- they do not allow non-root user login.

-- Eric
Jsmart
09-17-2009, 04:42 PM
We have created a script that runs from the aldo server as a grid maintainer and upgrades the kernels on all appliances.

--
the MAIN RISK is that this upgrades all catalogs.. If you have written data into UNBRACHED catalog appliances you will lose data. this resets all time stamps on all catalogs and looks like a full catalog upgrade. It will rebuild all volcache volumes.
--

This script cannot upgrade running appliances it requires that you stop all instances you want to upgrade.

We have setup a directory on the download site for grid maintainers. Using your download key you can get everything you need here:

From your aldo server (using your download key):

rsync -avP applogic@download.3tera.net:/home/applogic/extras/2.4.10-kernels/* /root/2.4.10-kernels
stop all apps on the grid
execute "./upgrade_kernels.sh <controller_ip>"
restart all of your apps

Regards,

Jessie