The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPKernel Updates

Discussion in 'Security' started by yatesf, Nov 20, 2016.

Tags:
  1. yatesf

    yatesf Member

    Joined:
    Sep 28, 2013
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    As of today, with the newest kernel from Redhat/CentOS, the "cPanel maintained" kernel is currently out of date. FYI.
     
    #1 yatesf, Nov 20, 2016
    Last edited by a moderator: Nov 20, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @yatesf,

    Could you let us know which specific CentOS version you are using and the specific kernel update you are referring to in this particular case?

    Keep in mind the cPanel-provided kernel is only available for CentOS 6 64-bit systems at this time.

    Thank you.
     
  3. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    I downloaded the cpanel kernel 10 days ago but yesterday my system got reverted back to the stock kernel after an update. what caused this? I also read yesterday a post by someone at the current thread (which got removed I suppose because I can no longer see it) that the cpanel kernel is out of date? Please advise what to do.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @EneTar,

    Please post the output from the following commands so we can get a better idea about your system's environment:

    Code:
    cat /etc/redhat-release
    uname -r
    rpm -qa|grep kernel
    cat /var/cpanel/envtype
    Thank you.
     
  5. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Hi Michael here is my info

    Code:
    [~]# cat /etc/redhat-release
    CentOS release 6.8 (Final)
    [~]# uname -r
    2.6.32-642.11.1.el6.x86_64
    [~]# rpm -qa|grep kernel
    kernel-devel-2.6.32-642.4.2.el6.x86_64
    kernel-devel-2.6.32-642.6.2.el6.x86_64
    dracut-kernel-004-409.el6_8.2.noarch
    kernel-headers-2.6.32-642.11.1.el6.x86_64
    kernel-devel-2.6.32-642.6.1.el6.x86_64
    kernel-firmware-2.6.32-642.11.1.el6.noarch
    kernel-2.6.32-642.6.199.2.cpanel6.x86_64
    kernel-2.6.32-642.6.2.el6.x86_64
    kernel-2.6.32-642.6.1.el6.x86_64
    kernel-2.6.32-642.11.1.el6.x86_64
    kernel-devel-2.6.32-642.6.199.2.cpanel6.x86_64
    kernel-devel-2.6.32-642.11.1.el6.x86_64
    kernel-2.6.32-642.4.2.el6.x86_64
    [~]# cat /var/cpanel/envtype
    
    kvm
    
    
    [~]# yum repolist
    Loaded plugins: fastestmirror, tsflags, universal-hooks
    Loading mirror speeds from cached hostfile
    * EA4: 204.10.37.146
    * base: mirror.spro.net
    * extras: mirrors.sonic.net
    * updates: centos.mirrors.tds.net
    repo id            repo name                                          status
    EA4                EA4 ( EasyApache 4 )                                   20,487
    MariaDB101         MariaDB101                                                 17
    base               CentOS-6 - Base                                      6,634+62
    cPkernel           cPanel Kernel                                              65
    epel               Extra Packages for Enterprise Linux 6 - x86_64     11,380+746
    extras             CentOS-6 - Extras                                          62
    hgdedi             HG Monitoring Repo                                        155
    ksplice-uptrack    Ksplice Uptrack for CentOS                                 14
    nginx              nginx repo                                                129
    ul                 UL                                                         60
    ul_hostgator       UL_HostGator                                                8
    updates            CentOS-6 - Updates                                     622+48
    repolist: 39,633
    
    Please let me know if you anything that shouldn't be in there
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,432
    Likes Received:
    30
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    I think what the OP is saying is that CentOS released a 2.6.32-642.11.1.el6 kernel on November 19th and cPanel hasn't yet updated their cPKernel.

    5 days later, cPanel still hasn't released an updated cPKernel to match this 2.6.32-642.11.1.el6 kernel. Or at least that I am aware of. The latest cPKernel kernel is 2.6.32-642.6.199.2.cpanel6? Which I am assuming matches the CentOS 2.6.32-642.6.2.el6 kernel?

    I know it's going to take some time for kernel updates to filter down. I don't know if 5 days is that unreasonable (although if this were a Dirty COW situation it might be different) but it certainly is a topic of discussion.

    The way I understand it, cPanel can't update their kernel until CentOS releases their kernel. CentOS can't release their kernel until Redhat releases their kernel. The more levels you have to this, the more delays you have. This is why people that use RHEL will always get a stock kernel update before CentOS users will. CentOS users will always get a stock kernel update before cPanel kernel users.
     
  7. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    So if understand correctly this means that whenever CentOS releases a new kernel our system will automatically update to use the CentOS kernel because it is newer than the latest of cPanel until cPanel releases a few days later the new one which will replace again that of CentOS.
     
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,432
    Likes Received:
    30
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    You probably want to wait and get someone from cPanel or someone with a bit better understand of yum repository construction involved in this discussion.

    I thought the cPkernel.repo used a cost parameter to weigh it's packages against CentOS packages, but I'm not seeing that. Perhaps that is something that cPanel needs to look into. Adding a parameter (I think this is the cost parameter, but I'm not sure) to the cPkernel.repo to weigh their kernel more than the distribution's kernel.

    I wouldn't recommend doing anything until someone with a bit better understanding of this chimes in. I'm just mentioning this as a potential topic of discussion.
     
  9. yatesf

    yatesf Member

    Joined:
    Sep 28, 2013
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Yes, that is exactly what I was saying. My original post was a reply in a different thread. My reply-post got edited of some relevant information and then made into it's own thread (ie. this one that we're reading now). The missing information from my original reply was a weblink URL that shows dated timestamp information that reflects the difference between the recently released "19 November" CentOS kernel and the outdated "26 October" cPanel maintained kernel below:
    Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64

    This outdated cPanel kernel is the reason I am getting a new Security Advisor Warning about "Kernel symlink ownership attacks", the title of the thread that I originally replied to.

    As an additional FYI to this current thread (since the scope seems to be growing), the procedure to remedy this Security Advisor Warning can be accomplished by the instructions/documentation at this weblink URL below (pending that the cPanel maintained kernel is more recent than the Redhat/CentOS kernel that you updated to):
    How to Harden Your cPanel System's Kernel - cPanel Knowledge Base - cPanel Documentation

    root@ds147 [~]# cat /etc/redhat-release
    CentOS release 6.8 (Final)
    root@ds147 [~]# uname -r
    2.6.32-642.11.1.el6.x86_64
    root@ds147 [~]# rpm -qa|grep kernel
    kernel-firmware-2.6.32-642.11.1.el6.noarch
    dracut-kernel-004-409.el6_8.2.noarch
    kernel-2.6.32-642.6.199.2.cpanel6.x86_64
    kernel-headers-2.6.32-642.11.1.el6.x86_64
    kernel-2.6.32-642.11.1.el6.x86_64
    root@ds147 [~]# cat /var/cpanel/envtype
    standardroot@ds147 [~]#
     
    #9 yatesf, Nov 28, 2016
    Last edited: Nov 28, 2016
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Internal case NO-885 is open to track the progress of the cPanel hardened kernel's update after the most recent update published by CentOS. We'll update this thread once the new kernel it's published and available for download.

    In addition, the issue where the cPanel hardened kernel is replaced when newer stock kernels when made available from CentOS has been reproduced and a resolution is planned in the near future. The internal case number is NO-871. I'll update this thread with more information on the status of this issue as it becomes available.

    Thank you.
     
  11. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    Thanks Michael. At the risk of making myself unpopular can we get an indication of what has caused the delay in this instance? While it's not a critical update I believe it was classed as important and per this thread is thus on many of our radars per update policy.

    Can I also ask if there is a mailing list for updates to cPkernel? Ideally (at least for me) an email would arrive when the update is ready as it does for stock CentOS via the centos announce list.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, the issue where a newer stock kernel would overwrite the cPanel kernel was resolved and should no longer occur. Additional updates through YUM should update the kernel back to the cPanel-hardened kernel version on any systems that were affected.

    Additionally, the updated kernel was published on November 29th, 2016:

    Index of /cpanelsync/repos/CentOS/6/cPkernel/x86_64/Packages

    Code:
    uname -r
    2.6.32-642.11.199.cpanel6.x86_64
    The build and release process for the cPanel-hardened kernel is not yet fully defined. I don't have a specific time frame to offer on any improvements at this time, but I'll update this thread to note any changes when the information becomes available.

    Thank you.
     
  13. yatesf

    yatesf Member

    Joined:
    Sep 28, 2013
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Just an FYI for the thread. CentOS 6 released another updated kernel today and the last "29 November 2016" cPanel-hardened kernel just now became out of date. This results in the attached error from cPanel Security Advisor.

    error.png

    This error occurs despite the fact that I ran "yum update" to update the kernel. It only updated me to the latest stock CentOS kernel because the hardened cPanel kernel isn't available yet.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @yatesf,

    The updated cPanel hardened kernel was published shortly after your response on 2017-01-13.

    Thank you.
     
Loading...

Share This Page