Important: [Security] Glibc vulnerability

Adam

A privilege escalation vulnerability has been discovered in glibc. This affects Ubuntu and many other distros.

https://lwn.net/ml/oss-security/20231003175031.GA16924@localhost.localdomain/
https://ubuntu.com/security/CVE-2023-4911

Ubuntu and Debian have already released a patch. To apply it on your Enhance server(s):

apt update
apt install libc6
chroot /var/enhance_container_images/jammy
apt update
apt install libc6
exit

If you are running Apache

docker exec -it apache apt update
docker exec -it apache apt install libc6

If you are running Nginx:

docker exec -it nginx apt update
docker exec -it nginx apt install libc6

If you are running OpenLiteSpeed

docker exec -it openlitespeed apt update
docker exec -it openlitespeed apt install libc6

If you are running LiteSpeed

docker exec -it litespeed apt update
docker exec -it litespeed apt install libc6

Finally reboot your system.

MediaServe

Adam Should one also "apt upgrade" and is that needed for the Jammy container, the web server container and others that might need upgraded too?

kyzoeadmin

Thanks for the update.

AdamM

Thx Adam, I really appreciate you letting us know about this.
When I was performing this operation, I noticed that many packages also required updating. I did it.
Why is it like that? Enhance not updating it?

geert

Would be great if it would be done through an Enhance uppdate...

Zoinkies

geert this +1

ss88us

@Adam For NGINX and this command docker exec -it nginx apt install libc6, I keep getting the error:

LD_LIBRARY_PATH contains the traditional /lib directory,
but not the multiarch directory /lib/x86_64-linux-gnu.
It is not safe to upgrade the C library in this situation;
please remove the /lib/directory from LD_LIBRARY_PATH and
try again.

So i bash into docker nginx and run echo $LD_LIBRARY_PATH and that's /lib:/usr/lib:/usr/local/lib

So I run unset LD_LIBRARY_PATH and apt install libc6 again, and it works as expected.

jaysays

I keep getting errors for these three commands.
chroot /var/enhance_container_images/jammy

docker exec -it nginx apt update
docker exec -it nginx apt install libc6

prasad0889

jaysays
I see it as
groups: cannot find name for group ID 999
for the command
chroot /var/enhance_container_images/jammy

@Adam Could you please help us out?

ss88us

prasad0889

This is normal. When you run chroot /var/enhance_container_images/jammy you're already chrooted into it. Continue running the other commands as normal.

prasad0889

ss88us Thanks @ss88us!

Adam

MediaServe

You can but it's not required to mitigate this vulnerability.

Rich

MediaServe I think I did by accident and when it told me there was no boot loader and the only option was to continue I freaked out a little till I realised I'd chroot into an environment with no /boot. 😄

Rich

Also for anyone with /dev/md1 or whatever RAID1, I'd do a # sudo grub-update after anyways, as some upgrade commands insinuated that it wouldn't of updated /boot properly. Running that ensured the latest Kernel bootloader was found after an apt upgrade for all remaining packages which at least made me feel better on hitting # reboot now especially on dedicated servers with no snapshots.

illuzant

Has this been patched in an enhance update or do we still need to run this manually?

Aliysa_Enhance

illuzant We recommend running this manually, the next Enhance release which will include the patch is due for release at the end of October.

sozotech

Dumb question for a newbie just playing around with enhance; these docker image updates need to be done on ever node in the cluster correct? I wasn't sure if the docker container updates are done on the registry node and pushed out to the other nodes or not?

On that note, assuming we grow to a large number of nodes, would it make sense to set apt to do automatic security updates on the host at least?

Adam

sozotech

You are correct this would have needed to be done on all nodes in the cluster.

The web server containers are built from vendor images, we don't distribute them. This was a very new vulnerability and new images had not been released by the vendors - this was an interim workaround.

As for the PHP containers, Enhance will always pull the latest version of system packages for the underlying o/s every time the appcd package is updated. This happens via Ubuntu's package manager.

If you have a lot of servers, if you don't use automation (puppet/ansible/etc) then you could set up Ubuntu "unattended upgrades" to update the kernel + Enhance packages.