Welcome to Joyent Cloud Customer Support

Stay updated with announcements, get answers from the community and share your feature suggestions with us.
You can also submit a request or send us an email at support@joyent.com.

 

Joyent Support

Andrew Hill May 1 Announcements / Incidents & Notifications

Date: 29-April-2016

Incident Start Time (UTC): ~23:00

Description: We are experiencing issues with Manta that may be affecting some users' ability to run jobs and access objects stored in Manta. We will continue to keep you posted.

Incident End Time (UTC): May 1 07:45 UTC 2016

Elizabeth Apr 29 Announcements / Incidents & Notifications

RESOLVED

Date: 29-April-2016

Incident Start Time (UTC): ~18:00

Description: We are experiencing issues with Manta that may be affecting some users' ability to run jobs and access objects stored in Manta. We will continue to keep you posted.

Current Status: 

         As of 22:42:52 UTC 29-Apr-2016: This issue is now resolved.

         As of 22:20:15 UTC 29-Apr-2016: Engineering and Operations are working on recovering Manta at this time. Thanks, again, for your patience.

As of 20:34 UTC 29-Apr-2016: Engineering and Operations continue to investigate this issue. Your continued patience is appreciated.

As of 18:00 UTC 29-Apr-2016: Engineering and Operations teams are currently investigating.

Incident End Time (UTC): Apr 29 22:42:52 UTC 2016

Sean G. Apr 25 Announcements / Security Advisories

Overview

Introduction:

This notice is to ensure that all Joyent Public Cloud (JPC) customers, all On-Premises operators of Triton (formerly SDC 7) and all Open Source SDC users are aware of vulnerabilities reported to us by research contributors at TippingPoint Zero Day Initiative, and some discovered by our own Engineering team:

    • All necessary fixes have been applied to the Joyent Public Cloud. No JPC user action is required.
    • For users of the other services listed above: Please follow the instructions for addressing these vulnerabilities, at your earliest opportunity. Instructions can be found in the Solutions section below.
    • Most of these vulnerabilities are listed on Zero Day Initative’s Upcoming Advisories, and you can read more about each of them in the Vulnerabilities section below. The “MAC protection logic vulnerabilities” described below were discovered by Joyent and do not appear on the ZDI site.

Support:

If further questions arise regarding mitigation of these vulnerabilities (after you have followed the instructions below), please contact Joyent Support by submitting a request via the Customer Support portal or by emailing support@joyent.com.

The Joyent Support channel is only available to customers of the Joyent Public Cloud and customers with support contracts for on-premises usage of Triton/SmartDataCenter and Manta. Open Source SDC users are encouraged to direct further questions to: The SmartOS Community Mailing Lists and IRC

 

Solutions

Joyent Public Cloud (JPC) users:

All necessary fixes have been applied to the Joyent Public Cloud. No user action is required.

Triton On-Premises users:

The method for applying this fix to your on-premises software installation will be to update your current Platform Image (PI) to the next available release, 20160414-20160420T005724Z, via the sdcadm command on the support channel.

Docker users should also update to this agent image: 1.0.0-master-20160418T231745Z-g3fd5a

If more detailed update instructions are needed, please submit a request via the Customer Support portal or email support@joyent.com.

Open Source SDC users:

Upgrade to this SDC Platform Image release: 20160414-20160420T005724Z.

Docker users should also update to this agent image: 1.0.0-master-20160418T231745Z-g3fd5adf.

Direct any further questions to: The SmartOS Community Mailing Lists and IRC

 

Vulnerabilities

ZDI-CAN-3701 Docker vulnerabilities:

Details

Affected: The issue exists in the core SmartOS platform and CN agents. The following users are affected:

    • Joyent customers with on-premises Triton Elastic Infrastructure using docker containers
    • Users of Docker containers on Joyent Public Cloud (the fixes have already been applied cloud-wide)
    • Users of Docker containers with Open Source SDC

Severity: High

Impact/Resolution

The vulnerabilities potentially allow malicious attempts to obtain access beyond the user zones.

Fixes have been made at the platform level to incorporate more appropriate dataset settings for Docker zones.

ZDI-CAN-3531/3532/3533 DTrace vulnerabilities:

Details

Affected: The issue exists in the core SmartOS platform, for users who are running on a Platform Image version prior to 20160204. For such users, the following are affected:

    • Joyent customers with on-premises Triton Elastic Infrastructure
    • All users of SmartOS, including Joyent Public Cloud customers (the fix has already been applied Cloud-wide)
    • Users of Open Source SDC

Severity: High

Impact/Resolution

Attackers can potentially exploit DTrace for information leaks into a non-global zone, or escalation from the non-global zone into the global.

DTrace has been hardened to prevent such malicious attempts.

MAC protection logic vulnerabilities:

Details

Affected: The issue exists in the core SmartOS platform release-20160331-20160330T234300Z and release-20160414-20160414T011323Z. The following users are affected:

    • Joyent customers with on-premises Triton Elastic Infrastructure who have applied either of the Platform Images mentioned above
    • All users of SmartOS, including Joyent Public Cloud customers (the fix has already been applied Cloud-wide)
    • Users of Open Source SDC who have applied either of the platform images mentioned above

Severity: High

Impact/Resolution

A recent regression has affected the MAC protection logic. Because of this, attackers can potentially exploit the leak of network packet information from other zones.

A fix has been made to reinstate the network interface protection.

Elizabeth Mar 4 Announcements / Security Advisories

How To Update Your Services

SmartOS Users:

The new releases referenced in the "Original Notice" section (below) have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice:

  • openssl-1.0.1s.tgz (now available in the 2014Q4 pkgsrc repository)
  • openssl-1.0.2g.tgz (now available in the 2015Q4 repository)

If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

$ pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/<nodejs_package>

 

Linux Users:

Please check the notices applicable to the Linux distro that you are using:

Debian: CVE-2016-0800CVE-2016-0705CVE-2016-0798CVE-2016-0797CVE-2016-0799 and CVE-2016-0702

Centos/Red Hat/Fedora: CVE-2016-0800CVE-2016-0705CVE-2016-0798CVE-2016-0797CVE-2016-0799, and CVE-2016-0702

Ubuntu: CVE-2016-0800CVE-2016-0705CVE-2016-0798CVE-2016-0797CVE-2016-0799 and CVE-2016-0702

Original Notice

This notice is to advise all Joyent Public Cloud (JPC) and Triton (formerly known as SDC) customers of the recently-identified OpenSSL security vulnerabilities CVE-2016-0800, CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, and CVE-2016-0702.

More information and new updates about these vulnerabilities can be reviewed and monitored here.

Both our Triton software and Manta services have been assessed, and it has been determined that they are not impacted by these vulnerabilities. However, we will update this notice to confirm when newer releases of both Node and OpenSSL packages are available in our pkgsrc repositories, to to allow users to access the updated release of the affected versions.

At any time, please do not hesitate to contact our Support team (by raising a ticket at https://help.joyent.com or by email to support@joyent.com) if you have any questions or concerns.

Elizabeth Feb 18 Announcements / Security Advisories

How To Update Your Services

SmartOS Users

New releases of the node.js packages have been added to the 2014Q4 and 2015Q4 pkgsrc repositories. The following latest package releases address the vulnerabilities outlined in this notice:

If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

$ pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/<nodejs_package>

 

You can visit the Node.js website for more information about these vulnerabilities, and the specific releases that have been identified as vulnerable.

 

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

Debian: CVE-2016-2086 and CVE-2016-2216

Centos/Red Hat/Fedora: CVE-2016-2086 and CVE-2016-2216

Ubuntu: CVE-2016-2086 and CVE-2016-2216

Original Notice

This notice is to advise all Joyent Public Cloud (JPC) and Triton (formerly known as SmartDataCenter, or SDC) customers of the recently-identified Node.js security vulnerabilities CVE-2016-2086 and CVE-2016-2216. In upcoming days, Joyent will proactively update this notice confirming actions that we have taken, as well as provide specific details on any required actions to be taken by both JPC and SDC customers. 

For now, you can visit this Node.js website to obtain additional details. Again, we will update this notice with more information within the next several days, specific to actions that may be required by all JPC and SDC customers. Your attention to this matter is appreciated.

At any time, please do not hesitate to contact our Support team by raising a ticket at https://help.joyent.com or by email to support@joyent.com, if you have any questions or concerns.

 

Overview | Recent