[Beowulf] Heads up - Stack-Clash local root vulnerability
Christopher Samuel
samuel at unimelb.edu.au
Wed Jun 21 16:57:21 PDT 2017
On 22/06/17 01:55, Kilian Cavalotti wrote:
> Thanks for starting the discussion here.
Pleasure!
> We're pretty much in the same boat (no changes made yet), as:
> 1. we're still running some RHEL 6.x based clusters, with x < 9,
> meaning no patches for neither the kernel nor glibc,
Ah yes, that's an interesting situation. We're on RHEL 6.9 for our
systems currently and I plan to upgrade a test cluster and see if
anything I know how to run breaks.
> 2. those kernel+glibc patches seem to just be "mitigations" and don't
> solve the underlying problem anyway
> (cf.https://access.redhat.com/security/vulnerabilities/stackguard#magicdomid15)
Unfortunately I think you have to rely on those mitigations as an
attacker with local access could just bring on a statically linked
executable and you're hosed.
> Oh, and containers...
Yes, a double edged sword, lots more vulnerable software that will never
get an update.. :-/
cheers,
Chris
--
Christopher Samuel Senior Systems Administrator
Melbourne Bioinformatics - The University of Melbourne
Email: samuel at unimelb.edu.au Phone: +61 (0)3 903 55545
More information about the Beowulf
mailing list