Welcome to Joyent Cloud Customer Support

Stay updated with announcements, get answers from the community and share your feature suggestions with us.
You can also submit a request or send us an email at support@joyent.com.

 

Joyent Support

Sean G. Feb 11 Announcements / Security Advisories

Overview

Introduction

Through HP's Zero Day Initiative, we have previously been made aware of the three security issues described in this Overview:

  • These vulnerabilities have already been fixed throughout the Joyent Public Cloud.
  • On-premises Triton (SDC7) software customers can mitigate these issues by following the (previously-provided) instructions referenced in the Recommendations/Fixes section below.
  • These three vulnerabilities will be announced on Tuesday, 16-February-2016 at Zero Day's "Upcoming Advisories"

Two Illumos vulnerabilities

These are two security issues with illumos that, used together and in the hands of a determined attacker, constitute a serious vulnerability for SmartOS-based systems:

  • ZDI-CAN-3263
  • ZDI-CAN-3284

Both of these issues are related to DTrace: one leverages an information leak in the copyout() action, and the other kernel data corruption that can be induced with malicious DIF.

Both issues are impossible to induce for/by those that don't have DTrace privileges – meaning that many other systems that have DTrace are not actually at risk because they do not expose DTrace to non-privileged users.

A Linux vulnerability

We were also made aware of the following previously-uncovered Linux vulnerability, which can be exploited in a Linux-branded zone with ptrace:

We have rectified this issue by tightening up the handling of Stack Segment (SS) faults segment register, to prevent local users from gaining privileges by triggering an IRET instruction to access a GS Base address.

Recommendations/ Fixes

On-premises Triton (formerly SDC7) customers

Individual notifications were sent to each individual customer's main contact email address beginning 5-October-2015, with the last of two subsequent updates to those tickets being sent on 8-December-2015. The most recent subject line (on 8-Dec) in your main contact's email InBox reads as follows:

"[NEW UPDATE] Security Advisory: Illumos-related vulnerability for SmartOS systems"

If you have not already done so, please act on the above-referenced instructions for mitigating all of these vulnerabilities (at your earliest opportunity). 

If you require further clarification regarding mitigation instructions (or would like to receive another copy), please contact Joyent Support by submitting a request at the support portal or by emailing support@joyent.com.

Joyent Public Cloud (JPC) customers

The fixes for all of these vulnerabilities have already been applied cloud-wide, during the last part of 2015. No further action is necessary.

Further advice

As before, please rest assured that Joyent's HTTPS endpoints for Manta, CloudAPI and our customer portal are not vulnerable.

Joyent customers who are using third-party operating systems are advised to contact their respective service providers for further information and instructions.

Elizabeth Feb 9 Announcements / Incidents & Notifications

UPDATE: This maintenance has been successfully completed.

We have scheduled API service updates in all of our data centers for this upcoming Thursday, 11-February-2016. The expected duration of impact is approximately 45 minutes per data center, and the scheduled start times for each data center are outlined as follows: 

  • EU-AMS-1: 14:00 PST 11-Feb-2016 (22:00 UTC 11-Feb-2016)

  • US-EAST-3: 14:45 PST 11-Feb-2016 (22:45 UTC 11-Feb-2016)

  • US-EAST-2: 15:30 PST 11-Feb-2016 (23:30 UTC 11-Feb-2016)

  • US-EAST-1: 16:15 PST 11-Feb-2016 (00:15 UTC 12-Feb-2016)

  • US-SW-1: 17:00 PST 11-Feb-2016 (01:00 UTC 12-Feb-2016)

  • US-WEST-1: 17:45 PST 11-Feb-2016 (01:45 UTC 12-Feb-2016)

Your ability to manage your instances via the API or through my.joyent.com will be limited during this time. Running instances will experience no impact other than orchestration (stopping/starting/destroying of VMs). We appreciate your patience and understanding, and will update this notice as soon as the maintenance is completed.

If you have any questions or concerns, please contact our Support team by raising a ticket at https://help.joyent.com or by email to support@joyent.com.

Sean G. Jan 15 Announcements / Security Advisories

Overview

Two new vulnerabilities in the OpenSSH SSH client (CVE-2016-0777 and CVE-2016-0778) allow a malicious or compromised SSH server to induce the client to leak arbitrary memory (including the client's private keys), and, in some versions of the client, execute arbitrary code on the client system. The client checks the server's host keys before reaching the point of vulnerability, so a man-in-the-middle attack is not a realistic vector (unless the server's host keys have already been disclosed).

These vulnerabilities come about through a little-used feature of the client for "roaming" of connections, which has never been supported in the OpenSSH server, but for which client support was added in version 5.4.

Recent releases of SmartOS and SDC have included OpenSSH clients in the platform image (in /usr/bin) that are vulnerable to the first vulnerability (the information leak), but not the second (buffer overflow leading to arbitrary code execution). Apart from the SSH client in the platform image, within each SmartOS zone or VM running on the system there may be an SSH client installed manually by the user (e.g. from pkgsrc) that is vulnerable, potentially to both CVEs.

Checking for vulnerable versions

On your client, run the command ssh -V. If you see

OpenSSH_7.1p1, OpenSSL 1.0.1p 9 Jul 2015

and the number in the place where 7.1p1 appears above is between 5.4 and 7.1p1 inclusive, your client is vulnerable.

Immediate mitigation

There is a simple mitigation for both of these vulnerabilities that all users are encouraged to deploy immediately. Add the line

UseRoaming no

at the top of ~/.ssh/config (create the file if it does not already exist). Users may also add the commandline option -o 'UseRoaming no' to any invocation of the ssh command (the SSH client). This option entirely disables the vulnerable roaming feature that is the source of the issue.

Note: This configuration change will be rejected by and produce a fatal error when using SunSSH and OpenSSH versions older than 5.4, which are not vulnerable.

Recommendations

Users of Triton Elastic Container Infrastructure (formerly “SDC” or “SmartDataCenter”), or SmartOS releases between 20150917 and 20160108 (inclusive) should update their platform image to 20160121 as soon as possible after it is released. At this release, the upstream patch for this issue will be included (which simply disables the roaming feature). Users on a release older than 20150917 need not upgrade their platform image for this vulnerability, as it includes SunSSH (which is based on an OpenSSH version prior to 5.4, when the feature was introduced).

Users of LX-branded zones or KVMs with a vulnerable OpenSSH client installed should refer to their operating system's or distribution's announcements or project website for further details about when new packages will be available, and update accordingly.

Users of SmartOS zones who have installed openssh from pkgsrc versions 2014Q4 (LTS) and 2015Q3 will have updated packages made available soon and should update as soon as possible once released. If an upgrade is not possible, users should make use of the workaround described above, or perhaps consider building the SSH client from source if the need is particularly acute.

We will update this advisory regarding updated Platform Images and packages as soon as they become available.

Support

As before, please be assured that Joyent's HTTPS endpoints for Manta, CloudAPI and our customer portal are not vulnerable.

Joyent customers who are using third-party operating systems are advised to contact their respective service providers for further information and instructions.

If you have followed the instructions above and further questions arise regarding mitigation of OpenSSH vulnerabilities (in Joyent products and services): Please contact Joyent Support by submitting a request at the support portal or by emailing support@joyent.com.

Elizabeth December 3, 2015 Announcements / Security Advisories

**NEW UPDATE (as of 18:00 UTC 8-Dec-2015)**

SmartOS Users

As per the table outlined below, users should update to the fixed release of the affected versions. For users running on the older 1.0.0 or 0.9.8 versions of OpenSSL, you are advised to upgrade to later versions of OpenSSL.

CVE Version(s) Affected Fixed Release(s) Where Available (pkgsrc repo)
CVE-2015-3193 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3
CVE-2015-3194 OpenSSL 1.0.2, 1.0.1 OpenSSL 1.0.2e, 1.0.1q 2015Q3, 2014Q4
CVE-2015-3195 OpenSSL 1.0.2, 1.0.1, 1.0.0, 0.9.8 OpenSSL 1.0.2e, 1.0.1q, 1.0.0t, 0.9.8zh 2015Q3, 2014Q4 (only 1.0.2, 1.0.1)
CVE-2015-3196 OpenSSL 1.0.2, 1.0.1, 1.0.0 OpenSSL 1.0.2d, 1.0.1p, 1.0.0t 2015Q3, 2014Q4 (only 1.0.2, 1.0.1)
CVE-2015-1794 OpenSSL 1.0.2 OpenSSL 1.0.2e 2015Q3

 

You can determine whether OpenSSL is installed (as well as the version you have installed) by running: 

$ pkgin ls | grep -i openssl

 

Customers can re-install OpenSSL with the following commands:
$ pkgin -y up && pkgin -y in openssl

 

Or, install the version needed (if only available in a different repository), by running:

 $ pkg_add pkgsrc_path_to_package

 

For example, if you need to install OpenSSL version 1.0.2e from the 2015Q3 repository, but you are running on an image that is using a different repository, you can install the 1.0.2e version by running:

$ pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2015Q3/x86_64/All/openssl-1.0.2e.tgz

 

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

Debian: https://www.debian.org/security/2015/dsa-3413

Centos/Red Hat/Fedora: https://access.redhat.com/solutions/2076883

Ubuntu: http://www.ubuntu.com/usn/usn-2830-1/

 

Joyent Manta, CloudAPI and Portal

Please be assured that any Joyent components identified as being affected will be updated.
 

Node.js Users

Versions v0.10.x through 4.x were affected. It is advised that you update node.js to the latest version releases:
  • nodejs-0.10.41 (pending)
  • nodejs-0.12.9 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo's)
  • nodejs-4.2.3 (available in 2014Q4 pkgsrc repo, pending availability in 2015* repo's)

Please also take note of the most recently announced Node.js vulnerabilities outlined here.

We will continue to update this notice with any new information in due course, so please check back periodically for any new details.

ORIGINAL NOTICE:

This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified OpenSSL security vulnerabilities CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196. More information about these vulnerabilities can be reviewed here.

We believe these security vulnerabilities do not pose a significant threat at this time. However, in due course we will update this notice to confirm the actions taken by Joyent, and provide specific details of any required actions that will need to be taken by both JPC and SDC customers.

At any time, please do not hesitate to contact our Support team (by raising a ticket at https://help.joyent.com or by email to support@joyent.com) if you have any questions or concerns.

Elizabeth December 1, 2015 Announcements / Security Advisories

**NEW UPDATE (as of 16:45 UTC 8-Dec-2015)**

SmartOS Users

New releases of the node.js packages have been added to the 2014Q4 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice:

  • nodejs-0.12.9.tgz
  • nodejs-4.2.3.tgz

If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command:

$ pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-0.12.9.tgz

 

$ pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/nodejs-4.2.3.tgz

 

You can visit the Node.js website for more information about these vulnerabilities, and the specific releases that have been identified as vulnerable.

We will continue to update this notice with any new information, and will let you know when the 2015Q3* repository has been updated, so please check back periodically for any new details.

Please also refer to our most recent OpenSSL Security Advisory for details on the Node.js versions affected by the most recent OpenSSL CVE's.

 

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

Debian: CVE-2015-8027 and CVE-2015-6764

Centos/Red Hat/Fedora: CVE-2015-8027 and CVE-2015-6764

Ubuntu: CVE-2015-8027 and CVE-2015-6764

ORIGINAL NOTICE:

This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified Node.js security vulnerabilities CVE-2015-8027 and CVE-2015-6764. In the next coming days, Joyent will pro-actively update this notice confirming actions taken by Joyent, as well as provide specific details on any required actions that will need to be taken by both JPC and SDC customers. 

For now, you can visit this Node.js website to obtain additional details. Again, we will update this notice with more information within the next several days, specific to actions that may be required by all JPC and SDC customers. Your attention to this matter is appreciated.

At any time, please do not hesitate to contact our Support team by raising a ticket at https://help.joyent.com or by email to support@joyent.com if you have any questions or concerns.

 

Overview | Recent