Background
For those of you who've been reading the tech news there was a linux kernel vulnerability identified last week which goes by the name of Dirty Cow. Essentially the vulnerability revolves around the fact that during a parallel Copy-on-Write operation between to processes, it is possible to exploit a race condition meaning that non-privileged users can gain privileged access to files. Although this vulnerability is currently only exploitable via direct access to the filesystem, it is recommended that all affected systems be galvanised against this exploit by updating to a patched kernel.
The good news is that Cloud 66 will now automatically scan your server and detect if your server is vulnerable to this exploit ...and give you a simple way to update your system!
Detection
If you server is found to be vulnerable - based on a scan of your kernel version - you will receive a notification about the vulnerability. Furthermore, your StackScore will be updated with information about the exploit and how to resolve it.
Resolution
Once your server has been found to be affected by this kernel bug, then to resolve the exploit you can simply perform a deploy-with-options with the apply-security-updates option selected.
WARNING! During the resolution of this kernel bug, your affected servers will need to be rebooted! Please make sure to run this on your Staging stacks first, and to ensure that the timing of your deployment is suitable for your application.
A few minutes after the deployment completes, your servers will be tested again for this vulnerability. If the vulnerability has not been removed, then you might need to manually update your servers kernel (there are some scenarios in which updating your kernel automatically is not possible, specifically with certain clouds). Please see the further reading section below should you require manual update.
As always, if you have any questions, feedback or just want to say hi, don't hesitate to reach out to us support@cloud66.com
Further Reading
- Source: Wikipedia
- Source: Ubuntu
- Source: DigitalOcean
- Source: Linode