Important kernel security update: Virtuozzo ReadyKernel patch 72.0 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5¶
Issue date: 2019-02-12
Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5
Virtuozzo Advisory ID: VZA-2019-008
1. Overview¶
The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5.
2. Security Fixes¶
[Important] It was discovered that a malicious user logged in to a Virtuozzo container could potentially overwrite the ‘vzctl’ binary on the host. The attacker could replace executables in that container with symlinks to ‘/proc/self/exe’. After that, ‘vzctl exec’ called from the host to run one of such executables would try to run the host’s ‘vzctl’ there instead. If the attacker managed to intercept that, they would be able to change the contents of the host’s ‘vzctl’ binary. The issue is similar to CVE-2019-5736, but affects ‘vzctl’ rather than ‘runc’. (PSBM-91042)
3. Installing the Update¶
Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.
4. References¶
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-72.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-72.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-72.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-72.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-72.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-72.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-72.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-72.0-1.vl7/
The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-008.json.