This notice is to advise Joyent's Triton Cloud (public cloud) customers, Triton on-premises software customers and Open Source Triton users of two security vulnerabilities.
The following security vulnerabilities have been identified by Ben with Zero Day Initiative (ZDI): ZDI-CAN-4983 and ZDI-CAN-4984. Through ZDI, we have previously been made aware of these vulnerabilities. Here is a brief description of the issue and its resolution:
- Issue: A local process can generate a panic by issuing commands to the smb subsystem.
- Resolution: This issue was addressed with better handling on the smb driver.
Please proceed based on the following advice:
- These vulnerabilities have already been fixed throughout the Triton Cloud (public cloud). No further action is required of public cloud users.
- On-premises Triton (SDC7) software customers can mitigate all of these issues by following the instructions referenced in the Actions You Need to Take section below.
- Open Source Triton users can also mitigate all of these issues by following the instructions referenced in the Actions You Need to Take section below.
- An upcoming announcement regarding this vulnerability will be published at Zero Day's "Upcoming Advisories".
Actions Taken by Joyent
As noted above, the fix for these vulnerabilities has already been applied across the entire Triton Cloud (public cloud). No further action is required of public cloud users.
Actions You Need to Take
Triton On-Premises Software Users:
You are advised to apply this fix by updating your current Platform Image (PI) to the next available release (release-20170831-20170831T155809Z or later), using the following command on the support channel:
sdcadm platform install --latest
Open Source Triton Users:
- Upgrade servers to Platform Image (PI) release-20170831-20170831T155809Z or later
- Direct any further questions to: The SmartOS Community Mailing Lists and IRC
If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.
If you are an Open Source Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC (as noted above).