Kernel security update: Virtuozzo ReadyKernel patch 71.0 for Virtuozzo 7.0.6 to 7.0.8 HF1 and Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-02-07

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-006

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6) to 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1) and 3.10.0-862.20.2.vz7.73.24 (Virtuozzo Infrastructure Platform 2.5).

2. Security Fixes

  • [Moderate] A flaw was found in the implementation of userfaultfd. An attacker is able to bypass file permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behaviour. At this time there is an understanding there is no crash or priviledge escalation but the impact of modifications on these filesystems of files in production systems may have adverse affects. (CVE-2018-18397)

3. Bug Fixes

  • /proc/sys/net/core/somaxconn was not available in the containers. (PSBM-91032)

  • ‘perf record -a’ causes segfaults in applications executing vsyscalls. (PSBM-91181)

  • Kernel crash (BUG_ON) ploop_relocblks_ioc(). (PSBM-91361)

  • Debug message ‘IPVS: Creating netns size=… id=…’ could be output many times to the system log when the network namespaces are initialized, making the log less readable. (PSBM-91527)

4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.