Skip to main content

KernelCare “Extra” Patchset option not showing in WHM > Security Advisor

Comments

8 comments

  • cPanelLauren
    Hi @WorkinOnIt That's unusual, all servers that are on v70+ should have it. I know you did mention they were all on the same cPanel version, OS and kernel but could you run the following on the server with the patch and the server without: uname -r rpm -qa |grep kernel kcarectl --patch-info cat /usr/local/cpanel/version cat /etc/redhat-release
    Thanks!
    0
  • WorkinOnIt
    Server with patch installed; [test@1 ~]$ uname -r 3.10.0-862.3.2.el7.x86_64 [test@1 ~]$ rpm -qa |grep kernel kernel-tools-libs-3.10.0-862.3.2.el7.x86_64 kernel-tools-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-693.21.1.el7.x86_64 kernel-headers-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-693.17.1.el7.x86_64 kernelcare-2.14-6.x86_64 kernel-3.10.0-862.2.3.el7.x86_64 kernel-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-693.11.1.el7.x86_64 [test@1 ~]$ sudo kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.3.2.el7 time: 2018-05-24 04:36:53 kpatch-name: 3.10.0/symlink-protection-ge-862.patch kpatch-description: symlink protection kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: Gerrit Code Review kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch kpatch-description: symlink protection (kpatch adaptation) kpatch-kernel: kernel-3.10.0-514.el7 kpatch-cve: N/A kpatch-cvss: N/A kpatch-cve-url: N/A kpatch-patch-url: Gerrit Code Review [test@1 ~]$ cat /usr/local/cpanel/version 11.70.0.44 [test@1 ~]$ cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core)
    Second server without the button showing. [test@server2 ~]$ uname -r 3.10.0-862.3.2.el7.x86_64 [test@server2 ~]$ rpm -qa |grep kernel kernel-3.10.0-862.3.2.el7.x86_64 kernelcare-2.14-6.x86_64 kernel-3.10.0-693.11.1.el7.x86_64 kernel-3.10.0-693.21.1.el7.x86_64 kernel-headers-3.10.0-862.3.2.el7.x86_64 kernel-tools-libs-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-693.17.1.el7.x86_64 kernel-tools-3.10.0-862.3.2.el7.x86_64 kernel-3.10.0-862.2.3.el7.x86_64 [test@server2 ~]$ sudo kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.3.2.el7 time: 2018-05-24 04:36:53 kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch kpatch-description: Restrict access to pagemap/kpageflags/kpagecount kpatch-kernel: kpatch-cve: kpatch-cvss: kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges kpatch-patch-url: uname: 3.10.0-862.3.2.el7 [test@server2 ~]$ cat /usr/local/cpanel/version 11.70.0.44 [test@server2 ~]$ cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core)
    0
  • cPanelLauren
    Hi @WorkinOnIt Thank you for providing all of that information. The big difference I see here is the patch info. On the server without the option you have an entirely different patch coming up: [test@server2 ~]$ sudo kcarectl --patch-info OS: centos7 kernel: kernel-3.10.0-862.3.2.el7 time: 2018-05-24 04:36:53 kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch kpatch-description: Restrict access to pagemap/kpageflags/kpagecount kpatch-kernel: kpatch-cve: kpatch-cvss: kpatch-cve-url: Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges kpatch-patch-url:
    Is this something that you remember installing? Thanks!
    0
  • WorkinOnIt
    Yes, I saw that discrepancy too - but I don't remember installing any patches. I'm not even sure what the proc-restrict-pagemap-access.patch actually does! What's the best way forward here?
    0
  • cPanelLauren
    @WorkinOnIt I'm going to research this patch and see if I can replicate the issue you're experiencing as well as look for a potential workaround. I'll update you again once I've got some more information.
    0
  • cPanelLauren
    Hi @WorkinOnIt Can you please run the following on the server that isn't showing the symlink protection patch? usr/bin/kcarectl --info /usr/bin/kcarectl --license-info
    That patch also came with the following: KernelCare Directory I'm wondering if you have the full kernelcare version on this server and because of that patch you're not getting the notification somehow
    0
  • WorkinOnIt
    Hi @cPanelLauren I ran the above command and it says : "You have a trial license for the IP 12.34.56.78 that will expire on 2018-05-30" kpatch-state: patch is applied kpatch-for: Linux version 3.10.0-862.3.2.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Mon May 21 23:36:36 UTC 2018 kpatch-build-time: Wed May 23 21:57:28 2018 kpatch-description: 1-;3.10.0-862.3.2.el7 However, I have not installed Kernel Care on the system - unless that is what got installed along with some update? I'm the only admin on the server, so no-one else could have installed it. Very odd !! Has this been reported by anyone else? What's the best way to remove it and go with the free patch.
    0
  • cPanelLauren
    HI @WorkinOnIt When just the patch is applied the kpatch-description line looks like this: kpatch-description: 2-free;
    So it does indeed look like you have the full KernelCare service installed. To uninstall it you can follow the instructions provided by CloudLinux here: KernelCare Documentation Then you can install just the free patch from the SecurityAdvisor - There are two KernelCare related notifications that come up when running the security advisor, one is yellow for the full KernelCare product and the other is red for symlink protection only.
    0

Please sign in to leave a comment.