The Apache CloudStack Blog
CloudStack and the "Ghost" glibc vulnerability
UPDATE: mitigation instructions have been improved (don't update openswan) and we forgot to mention rebooting.
UPDATE: Links to updated System VM templates are now below
Yesterday, a buffer overflow vulnerability was announced in glibc that affects most current Linux distributions. In CloudStack, the system VMs contain a vulnerable version of glibc.
CloudStack community members have built an updated system VM template, which ShapeBlue is hosting at http://packages.shapeblue.com/systemvmtemplate/ (More information on the packages at http://shapeblue.com/packages).
For instructions on how to update the SystemVM template in CloudStack, see here.
For those who wish to patch their running system VMs, ssh into each one and run:
apt-mark hold openswan apt-get clean apt-get update && apt-get upgradeAfter updating glibc, the system will need to be rebooted.
Information about how to connect to your System VMs is available here.
Other CloudStack-related systems may be affected!
Please review security updates from Linux distributions you use on your management server, storage systems, hypervisors, as well as other Linux VMs and bare-metal systems running in your environments. This post provides instructions for determining if a system is vulnerable, as well as patching directions for common Linux distributions.