Skip to main content

Symlink Race Condition Protection

Comments

10 comments

  • cPanelMichael
    Hello, The new Security Advisor alerts (with installation links for KernelCare) are included as part of cPanel version 70. This version is not yet available outside of the Edge build tier. In the meantime, you can follow the instructions on the following CloudLinux blog post to install the free symlink protection patchset from KernelCare:
    0
  • Skin
    Thanks, I`ve just tried with no luck: root@host [~]# curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash Il pacchetto curl-7.29.0-42.el7_4.1.x86_64 " gi" installato e aggiornato all'ultima versione % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 79812 100 79812 0 0 359k 0 --:--:-- --:--:-- --:--:-- 360k Plugin abilitati:fastestmirror, priorities, tsflags, universal-hooks Analisi di kernelcare-latest-7.rpm: kernelcare-2.14-2.x86_64 kernelcare-latest-7.rpm: non aggiorna il pacchetto installato. Niente da fare root@host [~]# kcarectl --set-patch-type free --update Unknown Kernel (CentOS Linux 3.10.0-693.11.6.el7.x86_64) root@host [~]#
    0
  • cPanelMichael
    Hello @Skin, Please post the output from the following commands: cat /etc/redhat-release uname -a rpm -qa|grep kernel
    Thank you.
    0
  • sparek-3
    I don't think Kernelcare has been rebased to the updated CentOS/RHEL kernels (that address the Meltdown issue) and so any server that's running an updated kernel to guard against Meltdown, is not being guarded with the Kernelcare Symlink patch. Kernelcare probably just needs to abandon their efforts to live patch this Meltdown issue and move their development on to other issues. That's my opinion.
    0
  • cPanelMichael
    I don't think Kernelcare has been rebased to the updated CentOS/RHEL kernels (that address the Meltdown issue) and so any server that's running an updated kernel to guard against Meltdown, is not being guarded with the Kernelcare Symlink patch. Kernelcare probably just needs to abandon their efforts to live patch this Meltdown issue and move their development on to other issues. That's my opinion.

    You can find the latest updates from CloudLinux on this topic at their blog: Intel CPU Bug - Meltdown and Spectre - KernelCare and CloudLinux Thank you.
    0
  • Skin
    Hello, here is the output: [QUOTE] root@host [~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) root@host [~]# uname -a Linux host.xxxxx.org 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux root@host [~]# rpm -qa|grep kernel kernel-tools-3.10.0-693.11.6.el7.x86_64 kernel-3.10.0-693.11.6.el7.x86_64 kernel-headers-3.10.0-693.11.6.el7.x86_64 kernelcare-2.14-2.x86_64 kernel-tools-libs-3.10.0-693.11.6.el7.x86_64 kernel-3.10.0-693.5.2.el7.x86_64 lw-kernelcare-installer-0.0.4-3.noarch lp-kernelupdate-1.1-2.noarch kernel-3.10.0-693.11.1.el7.x86_64
    Thanks
    0
  • quizknows
    Kernelcare probably just needs to abandon their efforts to live patch this Meltdown issue and move their development on to other issues. That's my opinion.

    I hate to say it but I'm with you on that one.
    0
  • Skin
    Hello, I`m still unable to get the Symlink Protection Patch, should I enable the BlueHost Patch?
    0
  • quizknows
    Hello, I`m still unable to get the Symlink Protection Patch, should I enable the BlueHost Patch?

    The Bluehost patch is OK last-minute mitigation. There are ways around it (which have been reported, but nobody is going to fix that patch), but the good news is most hackers don't know the way around it. So it's not fool proof but much better than nothing.
    0
  • cPWilliamL
    @Skin, I was unable to replicate this on a CentOS7 server with the same kernel version. You may want to reach out to CL directly about this. The BlueHost patch should suffice for the time being.
    0

Please sign in to leave a comment.