The Apache CloudStack Blog

Wednesday January 28, 2015

CloudStack and the "Ghost" glibc vulnerability

UPDATE: mitigation instructions have been improved (don't update openswan) and we forgot to mention rebooting.
UPDATE: Links to updated System VM templates are now below

Yesterday, a buffer overflow vulnerability was announced in glibc that affects most current Linux distributions. In CloudStack, the system VMs contain a vulnerable version of glibc.

CloudStack community members have built an updated system VM template, which ShapeBlue is hosting at http://packages.shapeblue.com/systemvmtemplate/ (More information on the packages at http://shapeblue.com/packages).

For instructions on how to update the SystemVM template in CloudStack, see here.

For those who wish to patch their running system VMs, ssh into each one and run:

apt-mark hold openswan
apt-get clean
apt-get update && apt-get upgrade
After updating glibc, the system will need to be rebooted.

Information about how to connect to your System VMs is available here.

Other CloudStack-related systems may be affected!

Please review security updates from Linux distributions you use on your management server, storage systems, hypervisors, as well as other Linux VMs and bare-metal systems running in your environments. This post provides instructions for determining if a system is vulnerable, as well as patching directions for common Linux distributions.

Comments:

NOTE: There is correction in the above: 1. Mark openswan to not upgrade, or else VPN related functionality may break: apt-mark hold openswan 2. Clean old cache (not clean can cause disk space issues): apt-get clean 3. Now upgrade: apt-get update && apt-get upgrade 4. Restart the VM (if that is not the options, restart remote services such as SSH, DNS, DHCP, VPN etc). Updated systemvm templates are available for download from here: http://packages.shapeblue.com/systemvmtemplate/ More information on packages here: http://shapeblue.com/packages

Posted by Rohit Yadav on January 28, 2015 at 08:03 PM UTC #

Thank you for this important vulnerability notification.

Posted by Dotbuffer.com on February 03, 2015 at 12:22 AM UTC #

Post a Comment:
  • HTML Syntax: NOT allowed

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation