Kernel does not support the prevention of symlink ownership attacks.

[PCZero]

Michael if you read this, the issue in SOLVED - Kernel does not support the prevention of symlink ownership attacks came back after I ran yum update tonight when being advised of a kernel update...

Will I see this after EVERY yum update? How do I resolve it. Yes I ran Yum Update and have the latest kernel, and Yes I rebooted the server.

 

[PCZero]

BTW here are the results of the commands requested in the earlier thread...



root@myhost [~]# uname -r
2.6.32-696.el6.x86_64

root@myhost [~]# rpm -qa|grep kernel
abrt-addon-kerneloops-2.0.8-43.el6.centos.x86_64
kernel-headers-2.6.32-696.el6.x86_64
libreport-plugin-kerneloops-2.0.9-33.el6.centos.x86_64
dracut-kernel-004-409.el6_8.2.noarch
kernel-2.6.32-696.el6.x86_64
kernel-2.6.32-642.15.1.199.cpanel6.x86_64
kernel-firmware-2.6.32-696.el6.noarch

root@myhost [~]#

 

[cPanelMichael]

Hello,

To clarify, were you using the cPanel hardened kernel? If so, it's by design that it's replaced with newer stock kernels as this ensures critical CVEs are addressed. It will update back to the cPanel hardened kernel once we've published the updated version. We're looking into replacing the cPanel hardened kernel with a different kernel solution that will avoid this issue, but there's no additional information to report on that at this time.

Thank you.

 

[PCZero]

Yes under the previous issue/fix the cpanel hardened kernel resolved the issue. So now I am at risk until a new resolution is reacehed is what you are telling me?

 

[cPanelMichael]

Hello,

Your kernel is patched with the updates from the stock kernel, however you do lose the symlink kernel patch in the meantime. You could implement an alternative solution from the list offered at:

Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

Thank you.