Live Patching – Recent Security Updates
This is supposed to be the first blog in the blog series on the topic of “rebootless” Linux kernel live patching, achieved with SUSE Linux Enterprise Live Patching. And before I have a chance to get you hooked, you are about to hit the back button of your browser, because (history has told you) a boring product pitch is about to commence.
Well, not with this series – at least that’s our motivation. And if in any case you feel this series is about to become a boring product pitch, let us know through the comment function.
First of all, here’s some stuff you might find interesting about security and vulnerabilities in the Open Source context:
Interesting security studies compiled “Linux & Open Source Vulnerabilities in 2017”
Another interesting piece is this compilation of security statistics, which admittedly is still from 2015, but interesting nevertheless:
The above blog states that in 2015 a total of 77 security sensitive bugs were found in the Linux Kernel.
While not all of those 77 are critical ones by default we can safely assume that almost one third (let’s say ~24) of those push the security team to issue a request towards IT to get those fixed. And such requests usually result in a server reboot in order to get the bug fixed. Assuming that you always apply three fixes at the same time, it’s still 8 reboots. And the main issue here is not those 8 reboots, but the intense testing of those new kernels in your staging area before (and maybe just because you have some exotic controller installed in your hardware). With 8 new Linux kernels per year you can easily employ one dedicated IT person for testing only.
To make it worse, sometimes those vulnerabilities get exposure to the public, like Dirty Cow did. Once that happens it’s a matter of time until the CEO calls IT and asks: “are we affected”? And usually the answer is “yes, and it takes a while to reboot all those servers”.
This is where Live Patching comes to the rescue – it allows you to fix Linux kernel bugs without the need to reboot.
Here are the key security issues that were fixed with the latest updated, released today:
The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.
SUSE Bug 1028883
(https://bugzilla.suse.com/show_bug.cgi?id=1028883 [potentially restricted access])
One of those nasty bugs which affect stability and for which we also issue a live patch, because it involves a crash and probable memory corruption when mdadm tests are invoked.