Legacy Virtual Machines & CVE-2016-10229


#1

Unlike our cloud servers our legacy virtual machines boot from kernels which are hosted outside the disk-image.

This means when there is a security issue affecting kernels we have to check and build updates - your machines might have kernels installed upon them, but they are not used for booting.

Recently CVE-2016-10229 hit the news, as a security issue which would potentially allow remote attackers to execute arbitrary code upon a host, via the transmission of malformed UDP packages. To date no exploit(s) have been posted, so it is hard to know whether this is a theoretical issue, or a real one. (It does seem to require that applications be actively listening for messages, with the MSG_PEEK flag set.)

We provide four main kernels to suit the needs of different users:

  • Stable (2.6.39.4)
    • This was vulnerable and has been patched and updated.
  • AppArmor (2.6.36.4)
    • This was vulnerable and has been patched and updated.
  • 3.2.83
    • This was not affected, having already been fixed.
  • 3.4.112
    • This was not affected, having already been fixed.

(NOTE: Most users should use Stable-i386.kvm unless they have a particular need for something specifically more recent, in which case the 3.2.x or 3.4.x version should be selected.)

You can check which one you’re using, and change the kernel if you wish, following this documentation on changing your legacy virtual machine kernel.

If you are running the older two kernels the patch should be available to you now, and will be applied automatically if you restart your virtual machine.