jenlepp

Well-Known Member
Jul 4, 2005
116
2
168
Liberty Hill, TX
cPanel Access Level
DataCenter Provider
If you're having a problem with this, I'm sure cPanel wants to know about it. I suggest a ticket be put in and link them to this thread in the ticket.
I removed the patch - the CloudLinux server was formally patched with KSplice, and the older servers were about to be replaced anyway and there's some debate as to whether it affects my kernel on those servers because they've been around a while.

For anyone who needs it, it's:

If you need to remove the mitigation, run the following command as the root
user to restore the default behavior (and remove the above changes to
/etc/rc.local if made):

# echo -1 > /proc/sys/fs/binfmt_misc/32bits
from https://access.redhat.com/kb/docs/DOC-40265

Someone else can have their clients scream at them while they jockey with the temporary patch and cPanel support. I'm going to concentrate moving those servers to new CL boxes asap.
 

jenlepp

Well-Known Member
Jul 4, 2005
116
2
168
Liberty Hill, TX
cPanel Access Level
DataCenter Provider

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
Will installing and running ksplice interfere or cause issues with cPanel?

I assume not as you are sort of promoting it; just making sure. :)

Kind Regards,
Tony
ksplice is probably the best option right now for those who need to keep 32bit binaries working.

Side Note: The "promotion" of ksplice is not solicited. They are just might be the best option for many at the moment.
 

rligg

Well-Known Member
Sep 16, 2003
275
0
166
ksplice is probably the best option right now for those who need to keep 32bit binaries working.

Side Note: The "promotion" of ksplice is not solicited. They are just might be the best option for many at the moment.
???

ksplice does not keep 32 binaries working. FrontPage and Miva Merchant fail with KSplice.
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
???

ksplice does not keep 32 binaries working. FrontPage and Miva Merchant fail with KSplice.
If they are not offering an updated package for your platform with 32bit compat working (I cannot confirm this either way, as I have not used it myself. ksplice will need to be contacted for more information) you may just want to wait until your linux vendor puts out an update.
 

Davetha

Member
PartnerNOC
Jun 6, 2006
9
0
151
If they are not offering an updated package for your platform with 32bit compat working (I cannot confirm this either way, as I have not used it myself. ksplice will need to be contacted for more information) you may just want to wait until your linux vendor puts out an update.
KSplice has a rebootless compat patch for RHEL5/CentOS5 as of the 18th in the afternoon. They later released an OpenVZ based kernel patch that night.
 

price

Registered
Verifed Vendor
Sep 20, 2010
2
0
51
Cambridge, MA
Re: Ksplice Question

Well, I attempted to install the Ksplice system but get an error with CENTOS 5.5 x86_64:

error: Failed dependencies:
rpmlib(FileDigests) <= 4.6.0-1 is needed by ksplice-uptrack-release-1-3.noarch
rpmlib(PayloadIsXz) <= 5.2-1 is needed by ksplice-uptrack-release-1-3.noarch
We looked into this (thanks for the email! I think we've already replied to you) and this is the error you get if you try to use the Fedora RPM on CentOS. For a CentOS system, you want this version: http://www.ksplice.com/yum/uptrack/centos/ksplice-uptrack-release.noarch.rpm

As always, we're happy to help at [email protected] with any questions.

Greg Price
Ksplice
 

price

Registered
Verifed Vendor
Sep 20, 2010
2
0
51
Cambridge, MA
???

ksplice does not keep 32 binaries working. FrontPage and Miva Merchant fail with KSplice.
Ksplice should not cause issues with any 32-bit binaries. In particular, this Ksplice update has been installed on many thousands of machines with no observed or reported impact to 32-bit binaries. 32-bit binaries would stop working, however, if you followed the Red Hat mitigation instructions, so I'm guessing that's what's causing the issues that you've observed; perhaps you applied the mitigation and then later installed Ksplice.

You can disable the mitigation by running the following command as root:
Code:
# echo -1 >  /proc/sys/fs/binfmt_misc/32bits
If that doesn't work and you think that this issue is related to Ksplice, please contact us at [email protected] and we will help investigate and correct the issue.

Greg Price
Ksplice
 

GaryT

Well-Known Member
May 19, 2010
320
3
68
Sounds stupid but, The easiest option is to wait for the vendor update rather than the patch, People with WHM who used the patch have MASSIVE issues, I tested on one box and I could not get the mysql and such to stay online.

I disabled ALOT of php functions to tighten some things up till the new kernal comes out, Centos has released a newer version but I have not tested this yet:

http://dev.centos.org/centos/5/testing/x86_64/RPMS/kernel-2.6.18-194.11.3.el5.CVE_2010_3081.x86_64.rpm

Taken from there testing repository ( beta but no exploits found so far )

Now to wait it out there is a risk, But you also take a risk by applying patches.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter

Rodney-E2

Member
PartnerNOC
Jun 25, 2005
23
0
151
Houston, TX
I applied this patch, and ever since then, I have had massive problems with MySQL on the servers with crashing, problems restarting, MySQL errors. You name it, I've seen it.

Does anyone know how to undo this patch? I've been looking, I have my DC's admins looking, and we're all baffled at what we're seeing.
We are having allot of MySQL issues as well after this is applied.
I have a ticket open to cPanel now and waiting to hear from them.
 

Jonjimar

Member
Dec 1, 2008
21
0
51
*** This only affects x86_64 machines. Please ignore this message if you are running a i386/32-bit only machine ***

*** The below is a temporary workaround for the recent local root security hole in the Linux kernel. This workaround will adversely affect some systems. A partial list of this adverse reactions is listed below. Please think carefully, and seek the advise of an expert if you are unsure if you should apply this workaround. As soon is it becomes available and deemed stable for use, you should get an updated kernel from your Linux kernel vendor. ***

This "patch"
Code:
echo ':32bits:M:0:\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register
will break anything that requires 32-bit compatibility mode. cPanel does distribute true 64 bit binaries. *In theory* most things should be fine.


So far we have found that most things work just fine (be sure to apply the attached patch before doing this to avoid problems on the next update):

- it *may* break php when mySQL versions are updated (easyapache should fix this)
- courier and mysql get installed from source instead of binary (patch attached -- apply in /scripts with
Code:
patch -p0 < courierup-mysqlup-32bitdisabled.patch.txt
-- this will be published in the next EDGE)
- frontpage (if you still have it) breaks.
- third party 32bit only apache modules may break.

There are probably some more things that have not been found yet.
I try to do the line
Code:
patch -p0 < courierup-mysqlup-32bitdisabled.patch.txt

and have the next result:

[email protected] [~]# patch -p0 < courierup-mysqlup-32bitdisabled.patch.txt
can't find file to patch at input line 5
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|Index: courierup
|===================================================================
|--- courierup (revision 48943)
|+++ courierup (revision 48944)
--------------------------
File to patch:
[email protected] [~]#

Someone can help me with this?


Jonathan J.
 

sehh

Well-Known Member
Feb 11, 2006
579
6
168
Europe
It is interesting, how this exploit has been around for 2 years now...

I wonder how much damage it has caused and how many "secure" systems have been compromised.... how many admins out there couldn't figure out how their fully updated systems had been exploited.

At least, the attacker requires so kind of access to execute the exploit, which means closed systems with SSH only access were never affected.

Just some random thoughts...
 

GaryT

Well-Known Member
May 19, 2010
320
3
68
if i use centos 4 what i have to do?
Upgrade to to the latest stable Centos - I will check shortly, I do know a new version is out with a patches Kernal.

It is interesting, how this exploit has been around for 2 years now...

I wonder how much damage it has caused and how many "secure" systems have been compromised.... how many admins out there couldn't figure out how their fully updated systems had been exploited.

At least, the attacker requires so kind of access to execute the exploit, which means closed systems with SSH only access were never affected.

Just some random thoughts...
OVH knew about this a long time back, If you get a dedicated from OVH you will see that 99.9% you will have a custom Kernal, And, The exploit patch is already in place.

I contacted my DC about this they said, This is old but now new news ! Don't worry your already prevented.

So in this case, Why has it only just been brought up when most BIG box providers knew this...