# OpenVZ vuln



## willie (Jun 24, 2014)

Presumably this: https://openvz.org/Download/kernel/rhel6/042stab090.5

I don't know specifics but I saw LowEndSpirit just rebooted all its nodes in order to patch a new vulnerability.  So I thought other OpenVZ users should be aware.


----------



## drmike (Jun 24, 2014)

Thanks for this... OpenVZ users better get to patching, this is an ugly one.

What a day today...


----------



## Francisco (Jun 24, 2014)

Yup.

Already working on that.

I'm going to likely migrate us to ploop soon.

I have other reasons for wanting to go to ploop but this just adds to them.

Francisco


----------



## BlackoutIsHere (Jun 24, 2014)

Our nodes are rebooting to apply the patch.  I really hate it when these happen as it is just a pain for everyone.


----------



## Francisco (Jun 24, 2014)

Aldryic's just pushing the files now and reboots will start rolling in a bit. A mass email is coming up after that.

I'm going back to my LXC research, that's for sure.

Francisco


----------



## Oliver (Jun 24, 2014)

One other host and I have found an issue where iptables rules are probably changed after rebooting into the new kernel. As a result if you have SSHD running and iptables with default policy DROP even if you have a rule allowing SSH in on whatever port you won't have this rule after reboot.

The containers will still start up again but you won't have any SSH access to the node.

Keep this in mind and make sure you have KVM access or whatever else handy!


----------



## Oliver (Jun 24, 2014)

Can some other host who has applied the new kernel and rebooted successfully advise if their iptables rules are all gone or changed in any way?


----------



## blergh (Jun 24, 2014)

Oliver said:


> Can some other host who has applied the new kernel and rebooted successfully advise if their iptables rules are all gone or changed in any way?


No change on our end.


----------



## BlackoutIsHere (Jun 24, 2014)

blergh said:


> No change on our end.


Ditto, haven't heard of any iptables related issues on our servers.


----------



## willie (Jun 24, 2014)

Francisco said:


> Aldryic's just pushing the files now and reboots will start rolling in a bit. A mass email is coming up after that.
> 
> 
> I'm going back to my LXC research, that's for sure.
> ...


Last I knew, LXC doesn't try to isolate containers against deliberate breakout attempts the way OpenVZ does.  It's more intended to run a lot of basically cooperating application instances with separate IP addresses, configurations, etc.  Docker is about the same way and apparently this OpenVZ vulnerability is related to a Docker breakout discovered a few days ago.  One of the Docker guys responded that Docker didn't claim to protect against that sort of exploit.  See:

https://news.ycombinator.com/item?id=7910117


----------



## Nick_A (Jun 24, 2014)

No iptables issues reported yet.


----------



## Oliver (Jun 24, 2014)

OK not sure if it's iptables related then. I must have some other issue... Will update again if it's relevant to others.


----------



## KuJoe (Jun 24, 2014)

We're having some issues with one of our nodes but it's not related to the kernel. All of the other nodes are working properly after the kernel update and confirmed iptables is looking good (although we can't unload one iptables module on some nodes but better than having a module you can't enable).


----------



## mtwiscool (Jun 24, 2014)

We had 2 issues:


Iptables nat got disabled so I had to reenabled that.


Grub got reset so it was booting into non openvz so I had to change that back.


All on my phone as I was not on the computer when it was released.


----------



## TheTalentedMrColo (Jul 1, 2014)

Oliver said:


> One other host and I have found an issue where iptables rules are probably changed after rebooting into the new kernel. As a result if you have SSHD running and iptables with default policy DROP even if you have a rule allowing SSH in on whatever port you won't have this rule after reboot.
> 
> The containers will still start up again but you won't have any SSH access to the node.
> 
> Keep this in mind and make sure you have KVM access or whatever else handy!


Is this in addition to problems people were having with the 4.7 release from April?


----------



## Oliver (Jul 1, 2014)

I think I had some isolated issue unrelated to the actual upgrade. Sorry for the confusion. It occurred on 3 nodes of mine that had been running for a long time where I suspect some other issue just came up after the reboot and I mistakenly linked it to the kernel upgrade...


----------



## BlaZe (Jul 1, 2014)

Done with the patching


----------



## KuJoe (Jul 1, 2014)

BlaZe said:


> Done with the patching


5 days after a critical exploit is released? Shame on you.


----------

