Discussion:
[Users] CVE-2018-14634
José Manuel Giner
2018-09-26 09:57:23 UTC
Permalink
We need a patch for OpenVZ kernel

A serious security vulnerability has been found within the Linux Kernel
nicknamed "Mutagen Astronomy" that affects CentOS, RHEL and possible
others. This exploit would allow an attacker to exploit a flaw in any
SUID-root binary to easily obtain full root privileges.

It is recommended that users take the necessary precautions immediately.
RedHat has already released mitigation instructions referenced below.

Reference(s):
------------

https://access.redhat.com/security/cve/cve-2018-14634

https://www.qualys.com/2018/09/25/cve-2018-14634/mutagen-astronomy-integer-overflow-linux-create_elf_tables-cve-2018-14634.txt
--
José Manuel Giner
Vasily Averin
2018-09-26 11:28:50 UTC
Permalink
Dear José Manuel,
thank you for this notification.
We know about this problem.
For Vz6 I'm waiting for new RHEL6 kernel with fix,
I expect it should be released today-tomorrow,
otherwise I'll backport the fixes from RHEL7 kernel.
openvz6 kernel will be released right after release of vz6 kernel.

For Vz7 we're preparing ReadyKernel livepatch.

We think about release of fixed kernel for OpenVz7
however final decision is decision is not yet accepted.

In any case you can try to mitigate the problem by using systemtap script
taken from corresponding Red Hat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1624498#c10

Thank you,
Vasily Averin
Post by José Manuel Giner
We need a patch for OpenVZ kernel
A serious security vulnerability has been found within the Linux Kernel nicknamed "Mutagen Astronomy" that affects CentOS, RHEL and possible others. This exploit would allow an attacker to exploit a flaw in any SUID-root binary to easily obtain full root privileges.
It is recommended that users take the necessary precautions immediately. RedHat has already released mitigation instructions referenced below.
------------
https://access.redhat.com/security/cve/cve-2018-14634
https://www.qualys.com/2018/09/25/cve-2018-14634/mutagen-astronomy-integer-overflow-linux-create_elf_tables-cve-2018-14634.txt
--
José Manuel Giner
_______________________________________________
Users mailing list
https://lists.openvz.org/mailman/listinfo/users
Vasily Averin
2018-09-26 16:31:15 UTC
Permalink
Post by Vasily Averin
Dear José Manuel,
thank you for this notification.
We know about this problem.
For Vz6 I'm waiting for new RHEL6 kernel with fix,
I expect it should be released today-tomorrow,
otherwise I'll backport the fixes from RHEL7 kernel.
openvz6 kernel will be released right after release of vz6 kernel.
For Vz7 we're preparing ReadyKernel livepatch.
We think about release of fixed kernel for OpenVz7
however final decision is decision is not yet accepted.
We are going to make re-base on new RHEL7 kernel
and build new openVz7 kernel in vz7-update9 unstable branch.

We are not going to create fixed kernel in vz7-update8 stable branch.

So openVz7 users can either:
- use mitigation described in Red Hat bug
- install fixed kernel from unstable branch (when it will be ready -- in few days or later)
- switch to vz7 and use ReadyKernel livepatch (I expect it will be ready tomorrow)
Post by Vasily Averin
In any case you can try to mitigate the problem by using systemtap script
https://bugzilla.redhat.com/show_bug.cgi?id=1624498#c10
Thank you,
Vasily Averin
Post by José Manuel Giner
We need a patch for OpenVZ kernel
A serious security vulnerability has been found within the Linux Kernel nicknamed "Mutagen Astronomy" that affects CentOS, RHEL and possible others. This exploit would allow an attacker to exploit a flaw in any SUID-root binary to easily obtain full root privileges.
It is recommended that users take the necessary precautions immediately. RedHat has already released mitigation instructions referenced below.
------------
https://access.redhat.com/security/cve/cve-2018-14634
https://www.qualys.com/2018/09/25/cve-2018-14634/mutagen-astronomy-integer-overflow-linux-create_elf_tables-cve-2018-14634.txt
--
José Manuel Giner
_______________________________________________
Users mailing list
https://lists.openvz.org/mailman/listinfo/users
Vasily Averin
2018-09-27 13:59:34 UTC
Permalink
Post by Vasily Averin
Dear José Manuel,
thank you for this notification.
We know about this problem.
For Vz6 I'm waiting for new RHEL6 kernel with fix,
I expect it should be released today-tomorrow,
otherwise I'll backport the fixes from RHEL7 kernel.
openvz6 kernel will be released right after release of vz6 kernel.
Our current release candidate 042stab133.3 can be found here
http://fe.virtuozzo.com/f42ca6a0c59e6a19b9405ab7ba713689/

Kernel is under testing now.
however if you do not want to wait -- feel free to use it,
we love additional testing and we'll be happy to receive any feedback about its work.

Also we're still waiting for new RHEL6 kernel.
If it will be published until next wednsday
we'll skip 042stab133.3 and will build and release 042stab134.x kernel instead.

Thank you,
Vasily Averin
Post by Vasily Averin
Post by José Manuel Giner
We need a patch for OpenVZ kernel
A serious security vulnerability has been found within the Linux Kernel nicknamed "Mutagen Astronomy" that affects CentOS, RHEL and possible others. This exploit would allow an attacker to exploit a flaw in any SUID-root binary to easily obtain full root privileges.
It is recommended that users take the necessary precautions immediately. RedHat has already released mitigation instructions referenced below.
------------
https://access.redhat.com/security/cve/cve-2018-14634
https://www.qualys.com/2018/09/25/cve-2018-14634/mutagen-astronomy-integer-overflow-linux-create_elf_tables-cve-2018-14634.txt
--
José Manuel Giner
_______________________________________________
Users mailing list
https://lists.openvz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
https://lists.openvz.org/mailman/listinfo/users
Vasily Averin
2018-09-27 20:49:02 UTC
Permalink
Post by Vasily Averin
Dear José Manuel,
thank you for this notification.
We know about this problem.
For Vz6 I'm waiting for new RHEL6 kernel with fix,
I expect it should be released today-tomorrow,
otherwise I'll backport the fixes from RHEL7 kernel.
openvz6 kernel will be released right after release of vz6 kernel.
For Vz7 we're preparing ReadyKernel livepatch.
ReadyKernel patches version 62.2-1.vl7 was published,
announce and description on readykernel.com will be updated tomorrow morning.
Post by Vasily Averin
Post by José Manuel Giner
We need a patch for OpenVZ kernel
A serious security vulnerability has been found within the Linux Kernel nicknamed "Mutagen Astronomy" that affects CentOS, RHEL and possible others. This exploit would allow an attacker to exploit a flaw in any SUID-root binary to easily obtain full root privileges.
It is recommended that users take the necessary precautions immediately. RedHat has already released mitigation instructions referenced below.
------------
https://access.redhat.com/security/cve/cve-2018-14634
https://www.qualys.com/2018/09/25/cve-2018-14634/mutagen-astronomy-integer-overflow-linux-create_elf_tables-cve-2018-14634.txt
--
José Manuel Giner
_______________________________________________
Users mailing list
https://lists.openvz.org/mailman/listinfo/users
Loading...