Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

KernelCare's Free Patch Set

Discussion in 'EasyApache' started by Nirjonadda, Jun 6, 2018.

  1. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    604
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    KernelCare's Free Patch Set no more working.

     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Nirjonadda

    Can you please run the following via SSH on your server?


    Code:
    kcarectl --patch-info
    
    Code:
    uname -r
    And let me know the output
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Nirjonadda likes this.
  3. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    604
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    This is output.

    Code:
    [root@nr ~]# kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-862.3.2.el7
    time: 2018-05-28 18:44:24
    
    
    
    kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
    kpatch-patch-url:
    
    uname: 3.10.0-862.3.2.el7
    
    [root@nr ~]# uname -r
    3.10.0-862.3.2.el7.x86_64
    [root@nr ~]#
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Nirjonadda

    It doesn't look like you have the patch installed. The patch should provide output like the following:

    Code:
    [root@server mailboxes]# kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-862.2.3.el7
    time: 2018-05-28 18:44:24
    
    
    
    kpatch-name: 3.10.0/symlink-protection-ge-862.patch
    kpatch-description: symlink protection
    kpatch-kernel: kernel-3.10.0-514.el7
    kpatch-cve: N/A
    kpatch-cvss: N/A
    kpatch-cve-url: N/A
    kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7
    
    kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
    kpatch-description: symlink protection (kpatch adaptation)
    kpatch-kernel: kernel-3.10.0-514.el7
    kpatch-cve: N/A
    kpatch-cvss: N/A
    kpatch-cve-url: N/A
    kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7
    
    The output you have is indicating a different patch
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Nirjonadda likes this.
  5. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    604
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Yes I have installed from Security Advisor but Its no more working after new kernel version update.

    Also why Security Advisor not showing patch install?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Nirjonadda

    I'm unsure as to why the patch is no longer installed. But it's not just showing that in security advisor, it's also not present on the server according to KernelCare as well.

    Can you run the following to enable to symlink protection manually:
    Code:
    kcarectl --set-patch-type free --update
    Then to ensure that it's set to have the patch:

    Code:
    kcarectl -i
    It should output something like:
    Code:
    # kcarectl -i
    kpatch-state: patch is applied
    kpatch-for: Linux version 3.10.0-862.2.3.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Wed May 9 18:05:47 UTC 2018
    kpatch-build-time: Mon May 21 09:16:44 2018
    kpatch-description: 2-free;
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Nirjonadda likes this.
  7. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    604
    Likes Received:
    15
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    KernelCare's Free Patch already installed?

    Code:
    [root@nr ~]# kcarectl --set-patch-type free --update
    'free' patch type selected
    Downloading updates
    Patch Level 2 applied, effective kernel version
    Updates already downloaded
    Kernel is safe
    [root@nr ~]#
    This output.

    Code:
    [root@nr ~]# kcarectl -i
    kpatch-state: patch is applied
    kpatch-for: Linux version 3.10.0-862.3.2.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Mon May 21 23:36:36 UTC 2018
    kpatch-build-time: Wed May 23 18:36:35 2018
    kpatch-description: 2-free;
    
    [root@nr ~]#
    Code:
    [root@nr ~]# kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-862.3.2.el7
    time: 2018-05-28 18:44:24
    
    
    
    kpatch-name: 3.10.0/symlink-protection-ge-862.patch
    kpatch-description: symlink protection
    kpatch-kernel: kernel-3.10.0-514.el7
    kpatch-cve: N/A
    kpatch-cvss: N/A
    kpatch-cve-url: N/A
    kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7
    
    kpatch-name: 3.10.0/symlink-protection-ge-862.kpatch-1.patch
    kpatch-description: symlink protection (kpatch adaptation)
    kpatch-kernel: kernel-3.10.0-514.el7
    kpatch-cve: N/A
    kpatch-cvss: N/A
    kpatch-cve-url: N/A
    kpatch-patch-url: https://gerrit.cloudlinux.com/#/admin/projects/lve-kernel-el7
    
    [root@nr ~]#
    So why KernelCare's Free Patch Set no more working after new kernel version update?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Nirjonadda

    It looks like somehow the patch was removed in your case, I can't tell you specifically how it was removed, but it was definitely not present on the server. We can see now though that it's been readded.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Nirjonadda likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice