Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Symlink Race Condition Protection

Discussion in 'Security' started by Skin, Jan 9, 2018.

  1. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    93
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Italy
    In easy Easy Apache 4 docs I can see that there is a free KernelCare patch to address Symlink Race Condition :
    Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

    In WHM's Security Advisor interface (WHM >> Home >> Security >> Security Advisor I don`t see any options, there is only a message like this one:
    Can you please help or point me to some docs?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    93
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Italy
    Thanks, I`ve just tried with no luck:
    Code:
    root@host [~]# curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash
    Il pacchetto curl-7.29.0-42.el7_4.1.x86_64 è già installato e aggiornato all'ultima versione
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 79812  100 79812    0     0   359k      0 --:--:-- --:--:-- --:--:--  360k
    Plugin abilitati:fastestmirror, priorities, tsflags, universal-hooks
    Analisi di kernelcare-latest-7.rpm: kernelcare-2.14-2.x86_64
    kernelcare-latest-7.rpm: non aggiorna il pacchetto installato.
    Niente da fare
    root@host [~]# kcarectl --set-patch-type free --update
    Unknown Kernel (CentOS Linux 3.10.0-693.11.6.el7.x86_64)
    root@host [~]#
    
    
     
    #3 Skin, Jan 9, 2018
    Last edited by a moderator: Jan 9, 2018
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Skin,

    Please post the output from the following commands:

    Code:
    cat /etc/redhat-release
    uname -a
    rpm -qa|grep kernel
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,659
    Likes Received:
    76
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    I don't think Kernelcare has been rebased to the updated CentOS/RHEL kernels (that address the Meltdown issue) and so any server that's running an updated kernel to guard against Meltdown, is not being guarded with the Kernelcare Symlink patch.

    Kernelcare probably just needs to abandon their efforts to live patch this Meltdown issue and move their development on to other issues. That's my opinion.
     
    quizknows likes this.
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You can find the latest updates from CloudLinux on this topic at their blog:

    Intel CPU Bug - Meltdown and Spectre - KernelCare and CloudLinux

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    93
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Italy
    Hello,
    here is the output:

    Thanks
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    I hate to say it but I'm with you on that one.
     
  9. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    93
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Italy
    Hello, I`m still unable to get the Symlink Protection Patch, should I enable the BlueHost Patch?
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    The Bluehost patch is OK last-minute mitigation. There are ways around it (which have been reported, but nobody is going to fix that patch), but the good news is most hackers don't know the way around it.

    So it's not fool proof but much better than nothing.
     
  11. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    @Skin, I was unable to replicate this on a CentOS7 server with the same kernel version. You may want to reach out to CL directly about this. The BlueHost patch should suffice for the time being.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice