Symlink Race Condition Protection
In easy Easy Apache 4 docs I can see that there is a free KernelCare patch to address Symlink Race Condition :
If you do not install KernelCare, you can install KernelCare's Free Patch Set, which includes KernelCare Free Symlink Protection.
We offer both of these options via WHM's Security Advisor interface (WHM >> Home >> Security >> Security Advisor I don`t see any options, there is only a message like this one:
[QUOTE]No symlink protection detectedYou do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following
-
Hello, The new Security Advisor alerts (with installation links for KernelCare) are included as part of cPanel version 70. This version is not yet available outside of the Edge build tier. In the meantime, you can follow the instructions on the following CloudLinux blog post to install the free symlink protection patchset from KernelCare: 0 -
Thanks, I`ve just tried with no luck: root@host [~]# curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash Il pacchetto curl-7.29.0-42.el7_4.1.x86_64 " gi" installato e aggiornato all'ultima versione % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 79812 100 79812 0 0 359k 0 --:--:-- --:--:-- --:--:-- 360k Plugin abilitati:fastestmirror, priorities, tsflags, universal-hooks Analisi di kernelcare-latest-7.rpm: kernelcare-2.14-2.x86_64 kernelcare-latest-7.rpm: non aggiorna il pacchetto installato. Niente da fare root@host [~]# kcarectl --set-patch-type free --update Unknown Kernel (CentOS Linux 3.10.0-693.11.6.el7.x86_64) root@host [~]#
0 -
Hello @Skin, Please post the output from the following commands: cat /etc/redhat-release uname -a rpm -qa|grep kernel
Thank you.0 -
I don't think Kernelcare has been rebased to the updated CentOS/RHEL kernels (that address the Meltdown issue) and so any server that's running an updated kernel to guard against Meltdown, is not being guarded with the Kernelcare Symlink patch. Kernelcare probably just needs to abandon their efforts to live patch this Meltdown issue and move their development on to other issues. That's my opinion. 0 -
I don't think Kernelcare has been rebased to the updated CentOS/RHEL kernels (that address the Meltdown issue) and so any server that's running an updated kernel to guard against Meltdown, is not being guarded with the Kernelcare Symlink patch. Kernelcare probably just needs to abandon their efforts to live patch this Meltdown issue and move their development on to other issues. That's my opinion.
You can find the latest updates from CloudLinux on this topic at their blog: Intel CPU Bug - Meltdown and Spectre - KernelCare and CloudLinux Thank you.0 -
Hello, here is the output: [QUOTE] root@host [~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) root@host [~]# uname -a Linux host.xxxxx.org 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux root@host [~]# rpm -qa|grep kernel kernel-tools-3.10.0-693.11.6.el7.x86_64 kernel-3.10.0-693.11.6.el7.x86_64 kernel-headers-3.10.0-693.11.6.el7.x86_64 kernelcare-2.14-2.x86_64 kernel-tools-libs-3.10.0-693.11.6.el7.x86_64 kernel-3.10.0-693.5.2.el7.x86_64 lw-kernelcare-installer-0.0.4-3.noarch lp-kernelupdate-1.1-2.noarch kernel-3.10.0-693.11.1.el7.x86_64
Thanks0 -
Kernelcare probably just needs to abandon their efforts to live patch this Meltdown issue and move their development on to other issues. That's my opinion.
I hate to say it but I'm with you on that one.0 -
Hello, I`m still unable to get the Symlink Protection Patch, should I enable the BlueHost Patch? 0 -
Hello, I`m still unable to get the Symlink Protection Patch, should I enable the BlueHost Patch?
The Bluehost patch is OK last-minute mitigation. There are ways around it (which have been reported, but nobody is going to fix that patch), but the good news is most hackers don't know the way around it. So it's not fool proof but much better than nothing.0 -
@Skin, I was unable to replicate this on a CentOS7 server with the same kernel version. You may want to reach out to CL directly about this. The BlueHost patch should suffice for the time being. 0
Please sign in to leave a comment.
Comments
10 comments