New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OpenVZ Security Update
Just got this email, update your kernel.
OpenVZ
Security Update Issued
An update for OpenVZ was just released to address a serious security vulnerability when using SimFS and it is recommended that you update as soon as possible.
Link:
Comments
updated:
SimFS (VZ / OpenVZ)
Urgent Action Required
Looks like there is already a public exploit for the SimFS (VZ / OpenVZ) vulnerabilities that were disclosed today. The exploit will allow a malicious user to obtain any file from another container, making this a very serious vulnerability. Update should be applied as soon as possible.
Ongoing Discussion(s) via WHT:
http://www.webhostingtalk.com/showthread.php?t=1387714
http://www.webhostingtalk.com/showthread.php?t=1387707
Relevant Links / Updates:
https://openvz.org/Download/kernel/rhel6/042stab090.5
http://kb.parallels.com/en/122142
im posting here, if someone dont receive this email.
oh boy, we got more exploits and dumps coming
that really is tragic
If I had a dollar for every time I've heard that pun, lol.
SimFS (VZ / OpenVZ)
Urgent Action Required
Looks like there is already a public exploit for the SimFS (VZ / OpenVZ) vulnerabilities that were disclosed today. The exploit will allow a malicious user to obtain any file from another container, making this a very serious vulnerability. Update should be applied as soon as possible.
Ongoing Discussion(s) via WHT:
http://www.webhostingtalk.com/showthread.php?t=1387714
http://www.webhostingtalk.com/showthread.php?t=1387707
Relevant Links / Updates:
https://openvz.org/Download/kernel/rhel6/042stab090.5
http://kb.parallels.com/en/122142
Someone already posted before you got here:
http://lowendtalk.com/discussion/29877/openvz-security-update#latest
@Spirit @mpkossen @Nekki
Can one of you please merge the threads? I think it will help with preventing repeat posts on two similar threads.
Does it effect hosts using ploop for containers?
So everyone should be on 090.5, as every other ovz kernel version is exploitable, right?
Unless they run vzfs or ploop, which are not affected.
No, not really.. but you can still update eh?
I rebooted one node and it came back up OK. I rebooted two others and the containers have restarted fine but SSHD isn't running anymore on the nodes. :-(
And this is what Out-Of-Band Management/Console Access is for!
Yeah, but of course when you need it you find that the iLO has crashed which appears to be the case here.
You know things are serious when Prometeus does an emergency reboot!
I probably had at least 200+ days uptime on an almost forgotten VPS ("forgotten" since it gives zero problems and just works).
Cheers
I, for one, am getting tired of all these critical vulnerabilities that are being reported. Updating ~100 nodes (even with a script to do it) gets boring fast. KernelCare is starting to look mighty good to me right now.
How do I update my proxmox stuff?
They have not released a patch yet. Considering how serious this vulnerability is, it's not wise to wait for KernelCare/KSplice/etc.
Wouldn't you prefer critical vulnerabilities to be reported, rather then sold to hackers?
just replied
"The update should be ready within 3-6 hours (patches are done compiling, testing has started). If testing fails -- it might take another 12 hours for us to finish.
Regards,
Igor Seletskiy
CEO @ Cloud Linux Inc
"
That would be a good solution if they actually do release patches quickly. Otherwise, your servers are like sitting ducks waiting to be "hacked" :-)
In a perfect world, there wouldn't be any vulnerabilities. But yes, it is better that they're reported and fixed rather than being in the wild, unpatched. As it is, I'm currently working out a few minor bugs with the update on several nodes. THIS is why you test things SMALL first, rather than deploying the patches to EVERYTHING at once.
I've put a line in /etc/rc.local to restart sshd just in case ...
Yeah this is causing some real issues, one of my nodes is in a panic loop and it is not like I can revert to the older kernel.... SIGH!!!!
Well this ruined my day
by day too
my*!
Ruined mine also...
Yeah I was big on kernelcare until today. 3-6 hours (after the 2 hours we waited in between initial contact) with a known exploit in the wild renders kcare useless.
Pretty much. As much as I like to see >100 days of uptime on my server, it's not worth getting my files stolen.
Damn, I should really configure init.d scripts x.x