Welcome to Joyent Cloud Customer Support

To stay updated with announcements regarding incidents and maintenance please visit or status page at status.joyent.com.
You can subscribe for automatic notifications when new incidents occur and maintenances are scheduled. In general maintenance events are ONLY published on the status page.

To submit a support request please login or send us an email at support@joyent.com.

 

Joyent Support

Sean G. Jun 28 Announcements / Security Advisories

How To Update Your Services

SmartOS Users

New releases of the Node.js packages have been added to the 2016Q1 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice:

If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

$ pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/<nodejs_package>

 

You can visit this Node.js page for more information about these vulnerabilities.

 

Triton Cloud Users 

The public cloud has been fixed; customers are advised to update their individual instances with the relevant Node.js packages.

 

Triton Enterprise Users

We will update this notice as soon as the 20160625 and 20160707 releases become available via the support channel, so that software customers can update their installations.

 

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

Original Notice

This notice is to advise all Triton Cloud (public cloud) and Triton Enterprise software (formerly SDC) customers of the following recently-identified Node.js security vulnerabilities:

  • CVE-2016-1669: Under certain conditions, V8 may improperly expand memory allocations in the Zone::New function. This could potentially be used to cause a Denial of Service via buffer overflow or as a trigger for a remote code execution; mitigation will be required.
  • CVE-2014-9748 is Windows-related and does not pertain to any Joyent software or services.

For now, you can visit this Node.js page to obtain additional details. Within the next several days, Joyent will proactively update this notice to confirm actions that we have taken, as well as provide specific details on any required actions to be taken by both Triton Cloud and Triton Enterprise customers to mitigate CVE-2016-1669. Your attention is appreciated.

If you are a Joyent customer and have any questions or concerns, please do not hesitate to contact our Support team by raising a ticket at https://help.joyent.com/home or by emailing support@joyent.com.

Sean G. May 27 Announcements / Current System Status

Overview

This notice is to alert our Joyent Public Cloud and Manta Storage Service customers to our newly enhanced maintenance/incidents notification system:

In making this change, our goal is to provide you (and all of our customers) with even faster, more user-tailored and efficient cloud-wide notifications about planned maintenance and unplanned incidents. This new notification system will allow us to reach that commitment.

Subscribing for Notifications

An important feature of our new notification system is that customers can subscribe to receive email notices of incidents and maintenance activities. In order to subscribe to these timely email alerts, follow these simple steps:

  1. Go to https://status.joyent.com and bookmark the page.
  2. While you are there, take a moment to click the "Subscribe" button in the top right corner, as illustrated below.
  3. You will be emailed a link that will let you easily manage the types of email alerts you wish to receive.

That’s all you need to do! Of course, you will also be able to view maintenance and incident notifications directly at https://status.joyent.com.

subscribe.png

Support

Thank you for your time in attending to this notice. If you are a Joyent customer and have any further questions regarding this change, please do not hesitate to submit a request via http://help.joyent.com or by email to support@joyent.com.

Ryan May 26 JoyentCloud Knowledge Articles / Virtual Machines

If you run into the following errors attempting to start services via systemctl in centos-7 or other systemd based infrastructure containers:

# systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

 

Create a directory 

/etc/systemd/system/SERVICENAME.service.d/ 

in this case, for httpd, that would be 

/etc/systemd/system/httpd.service.d

Create a file named override.conf in that directory, i.e.:

/etc/systemd/system/httpd.service.d/override.conf

Edit that file to contain

[Service]
PrivateTmp=no

and run 

systemctl daemon-reload

The service should now start properly.

Sean G. May 3 Announcements / Security Advisories

Update to Original Notice

(Updates as of 24-May-2016 UTC appear with asterisk*)

(First update appeared 9-May-2016 UTC; Original Notice appears at the bottom of this post)

How To Update Your Services

Joyent Public Cloud (JPC) users and Triton Elastic Infrastructure (formerly SDC 7) software users:

Update to the fixed release of the affected versions, as shown in the table below:

CVE Version(s) Affected Fixed Release(s) Where Available

CVE-2016-2108

 

OpenSSL 1.0.2 

OpenSSL 1.0.1

OpenSSL 1.0.2c

OpenSSL 1.0.1o

 2015Q1

 2014Q2, 2014Q4

CVE-2016-2107,
CVE-2016-2105, 
CVE-2016-2106,
CVE-2016-2109,
and
CVE-2016-2176

OpenSSL 1.0.2

OpenSSL 1.0.1

 

 

OpenSSL 1.0.2h

OpenSSL 1.0.1t

 

 

 2015Q4, 2016Q1

 2014Q4

 

 

You can determine whether OpenSSL is installed (as well as the version you have installed) by running: 

$ pkgin ls | grep -i openssl

Customers can re-install OpenSSL with the following commands:
$ pkgin -y up && pkgin -y in openssl


Or, install the version needed (if only available in a different repository), by running:

 $ pkg_add pkgsrc_path_to_package


For example, if you need to install OpenSSL version 1.0.2h from the 2016Q1 repository, but you are running on an image that is using a different repository, you can install the 1.0.2h version by running the following (with the caveat that we strongly suggest you first try this on a non-production machine, to ensure you do not run into any dependency issues):

$ pkg_add https://pkgsrc.joyent.com/packages/SmartOS/2016Q1/x86_64/All/openssl-1.0.2h.tgz

 

Triton Elastic Infrastructure (formerly SDC 7) software users*

The following Triton components have been fixed and are now available from the support channel:

  • sdcadm (upgrade to most recently published 1.11.1 version)
  • adminui (upgrade to release-20160512-20160512T165733Z-g63d9d37)
  • docker (upgrade to release-20160512-20160512T164735Z-gabdb1f1)
  • imgapi (upgrade to release-20160512-20160512T164432Z-g318b58e)
  • gz-tools (upgrade to most recently published 3.0.0 version)
  • Users should also update their boot platform to release-20160428-20160504T174400Z, or newer

For further details on applying updates, you can reference the Triton maintenance and upgrades web page. Should you require any further assistance with your updates to the components above, please contact our Support team by raising a request at the Customer Support portal or emailing support@joyent.com.

 

Joyent Manta, CloudAPI and Portal:

Please be assured that any Joyent components identified as being affected will be updated. 

 

Linux Users:

Please check the notices applicable to the Linux distro that you are using:

 

Node.js users:

As described in the 6-May-2016 Node.js update found here, the following releases have been made available to include the OpenSSL security updates:

Please upgrade your Node.js installation as soon as possible.

 

Open Source SDC users:

Update boot platform image to: release-20160428-20160504T174400Z

Update adminui, docker, and imgapi to the 20150512* releases.*

Direct any further questions to: The SmartOS Community Mailing Lists and IRC 

Original Notice

(Posted 3-May-2016 UTC)

This notice is to provide preliminary advice to all Joyent Public Cloud (JPC) customers and all Triton Elastic Infrastructure (formerly SDC 7) software customers of the recently-identified, high-severity OpenSSL security vulnerabilities CVE-2016-2108 and CVE-2016-2107, as well as four low-severity CVEs. Further information regarding these vulnerabilities is available here.

As soon as we can, we will update this notice to confirm the actions taken by Joyent, and to provide specific details of any required actions -- such as pkgsrc and software updates -- that will need to be taken by both JPC and Triton/SDC customers.

Node users are advised to watch for updates here; any new Node.js releases impacting software will be included in the above-mentioned Joyent pkgsrc and software updates.

At any time, please do not hesitate to contact our Support team (by raising a ticket at the Customer Support portal or by email to support@joyent.com) if any questions or concerns come up.

Sean G. Apr 25 Announcements / Security Advisories

Overview

Introduction:

This notice is to ensure that all Joyent Public Cloud (JPC) customers, all On-Premises operators of Triton (formerly SDC 7) and all Open Source SDC users are aware of vulnerabilities reported to us by research contributors at Trend Micro's Zero Day Initiative, and some discovered by our own Engineering team:

    • All necessary fixes have been applied to the Joyent Public Cloud. No JPC user action is required.
    • For users of the other services listed above: Please follow the instructions for addressing these vulnerabilities, at your earliest opportunity. Instructions can be found in the Solutions section below.
    • Most of these vulnerabilities are listed on Zero Day Initative’s Upcoming Advisories, and you can read more about each of them in the Vulnerabilities section below. The “MAC protection logic vulnerabilities” described below were discovered by Joyent and do not appear on the ZDI site.

Support:

If further questions arise regarding mitigation of these vulnerabilities (after you have followed the instructions below), please contact Joyent Support by submitting a request via the Customer Support portal or by emailing support@joyent.com.

The Joyent Support channel is only available to customers of the Joyent Public Cloud and customers with support contracts for on-premises usage of Triton/SmartDataCenter and Manta. Open Source SDC users are encouraged to direct further questions to: The SmartOS Community Mailing Lists and IRC

 

Solutions

Joyent Public Cloud (JPC) users:

All necessary fixes have been applied to the Joyent Public Cloud. No user action is required.

Triton On-Premises users:

The method for applying this fix to your on-premises software installation will be to update your current Platform Image (PI) to the next available release, 20160428-20160504T174400Z* or later, via the sdcadm command on the support channel.

Docker users should also update to this agent image: 1.0.0-master-20160418T231745Z-g3fd5a

If more detailed update instructions are needed, please submit a request via the Customer Support portal or email support@joyent.com.

Open Source SDC users:

Upgrade to this SDC Platform Image release: 20160428-20160504T174400Z*.

Docker users should also update to this agent image: 1.0.0-master-20160418T231745Z-g3fd5adf.

Direct any further questions to: The SmartOS Community Mailing Lists and IRC

*Note: A previous version of this release announcement specified PI 20160414-20160420T005724Z; this new release 20160428-20160504T174400Z contains an important bug fix that was not contained in 20160414-20160420T005724Z.

 

Vulnerabilities

ZDI-CAN-3701 Docker vulnerabilities:

Details

Affected: The issue exists in the core SmartOS platform and CN agents. The following users are affected:

    • Joyent customers with on-premises Triton Elastic Infrastructure using docker containers
    • Users of Docker containers on Joyent Public Cloud (the fixes have already been applied cloud-wide)
    • Users of Docker containers with Open Source SDC

Severity: High

Impact/Resolution

The vulnerabilities potentially allow malicious attempts to obtain access beyond the user zones.

Fixes have been made at the platform level to incorporate more appropriate dataset settings for Docker zones.

ZDI-CAN-3531/3532/3533 DTrace vulnerabilities:

Details

Affected: The issue exists in the core SmartOS platform, for users who are running on a Platform Image version prior to 20160204. For such users, the following are affected:

    • Joyent customers with on-premises Triton Elastic Infrastructure
    • All users of SmartOS, including Joyent Public Cloud customers (the fix has already been applied Cloud-wide)
    • Users of Open Source SDC

Severity: High

Impact/Resolution

Attackers can potentially exploit DTrace for information leaks into a non-global zone, or escalation from the non-global zone into the global.

DTrace has been hardened to prevent such malicious attempts.

 

ZDI-CAN-3688/3689/3690 Dtrace vulnerabilities:

Details

Affected: The issue exists in the core SmartOS platform, for users who are running on a Platform Image version prior to 20160526.

Severity: High

Impact/Resolution

Attackers can potentially combine multiple DTrace exploits to list processes outside of a zone, and dump the memory from these processes or break out of zones and escalate privileges in the global zone. DTrace has been hardened to prevent the above vulnerabilities. The fixes are available in PI version 20160526 and above.

MAC protection logic vulnerabilities:

Details

Affected: The issue exists in the core SmartOS platform release-20160331-20160330T234300Z and release-20160414-20160414T011323Z. The following users are affected:

    • Joyent customers with on-premises Triton Elastic Infrastructure who have applied either of the Platform Images mentioned above
    • All users of SmartOS, including Joyent Public Cloud customers (the fix has already been applied Cloud-wide)
    • Users of Open Source SDC who have applied either of the platform images mentioned above

Severity: High

Impact/Resolution

A recent regression has affected the MAC protection logic. Because of this, attackers can potentially exploit the leak of network packet information from other zones.

A fix has been made to reinstate the network interface protection.

 

Overview | Recent