Legacy VMs: new kernels for CVE-2014-3153


#1

We’ve prepared new kernels for the legacy VM platform to prevent the futex privilege escalation bug CVE-2014-3153.

If your current kernel is set to one of Stable-i386.kvm, AppArmor-i386.kvm, Experimental-i386.kvm, Linux3.2-i386.kvm or Linux3.4-i386.kvm then restarting your VM is sufficient to get protection. Otherwise you should change your kernel to one of the above. They currently map to these kernel versions:
Stable-i386.kvm -> linux-2.6.32.62-kvm-i386-20140610
AppArmor-i386.kvm -> linux-2.6.36.4-kvm-i386-20140610
Experimental-i386.kvm -> linux-3.2.60-kvm-i386-20140609
Linux3.2-i386.kvm -> linux-3.2.60-kvm-i386-20140609
Linux3.4-i386.kvm -> linux-3.4.92-kvm-i386-20140609

We are also starting a programme of VM migrations which will also involve a restart (you will have been contacted by email if this affects you soon), so you may wish to wait for that to avoid having two VM restarts.


#2

I’m slightly confused here. One of our legacy VM’s which I’ve just checked reports (via uname) that it is running 2.6.32.33-kvm-i386-20111128-dirty whereas the grub.conf has 2.6.32-71.el6.i686 as its only option.

Does something in the VM system override the kernel choice in grub.conf? If so, where do we configure that to use one of your listed, recommended kernels?


#3

Hi, Pete.

Yes - legacy VMs do use an external kernel and any grub configuration will be ignored. This is largely for historical reasons and it is a restriction that is removed in BigV. You can select a kernel by following these instructions. Unless you have specific requirements, you should probably choose Stable-i386.kvm (which is currently 2.6.32.62, ie the latest version of the kernel you are currently running).


#4

Thanks, James. I’ve changed the kernel as per those instructions without a problem and have now added a comment in the grub.conf to remind myself that it is ignored.