[Beowulf] Heads up - Stack-Clash local root vulnerability
kilian.cavalotti.work at gmail.com
Wed Jun 21 08:55:36 PDT 2017
Thanks for starting the discussion here.
We're pretty much in the same boat (no changes made yet), as:
1. we're still running some RHEL 6.x based clusters, with x < 9,
meaning no patches for neither the kernel nor glibc,
2. those kernel+glibc patches seem to just be "mitigations" and don't
solve the underlying problem anyway
As far as I understand this, the real fix will be to recompile all of
your binaries using a properly working implementation of -fstack-check
in gcc (which doesn't exist yet). So in terms of timeline, that means
GCC needs to be fixed, system applications need to be recompiled,
distribution need to repackage and distribute them, and then all the
userland applications need to be recompiled. It's a multi-year
So we're not really sure how to approach this, as recompiling
everything seems really like the utopian dream of somebody who never
managed any shared system. Plus, as you mentioned, even the
mitigations are not innocuous, and may change applications' behavior.
That sounds like a big bowl of mess right now.
Oh, and containers...
More information about the Beowulf