This notice is to advise the user groups identified below of CVE-2016-5195, the high-severity "Dirty Cow" vulnerability first announced here (and on other sites) in November 2016.
This race condition is in mm/gup.c in the Linux kernel 2.x through 4.x (before 4.8.3), and it allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping.
The only affected Joyent images are KVM images, so those have been updated accordingly. As before, please be assured that Joyent's HTTPS endpoints for Manta, CloudAPI and the customer portal are not vulnerable.
The following user groups are affected (and can mitigate this vulnerability by following instructions further below):
- Joyent customers using on-premises Triton software
- All users of KVM (CentOS, Debian and Ubuntu) images, including Triton public cloud customers
- Users of Open Source Triton
Actions Taken by Joyent
Joyent created a new Platform Image (PI) containing fixes that addressed these vulnerabilities. This PI has been applied across the Triton Cloud (public cloud), and is available to Triton Enterprise software users.
Joyent also made upgraded images (containing the fix) available, as described below.
Actions You Need to Take
Triton Software Users:
You are advised to apply this fix (and other timely fixes) by updating your current Platform Image (PI) to the next available release (20170105-20170105T023718Z or later) using the following command on the support channel:
sdcadm platform install --latest
Triton Public Cloud Users:
As noted above, the fix has already been applied across the entire public cloud.
Further Ubuntu instructions are available here, and you can learn more about Ubuntu Certified Images available for upgrade here. Debian and Ubuntu users can upgrade images with the following commands:
sudo apt-get update sudo apt-get dist-upgrade sudo reboot
Open Source Triton Users:
- Upgrade to this Triton Platform Image (PI) release:20170105-20170105T023718Z or later
- Direct any further questions to: The SmartOS Community Mailing Lists and IRC
If you are a Joyent customer and have any further questions or concerns after reading the information and instructions above, please contact Joyent Support.