We will be carrying out Emergency Maintenance work early tomorrow morning (Wednesday 1st March) within the 1am – 4am maintenance window. This will be widely customer affecting and is outlined below.
A vulnerability (CVE-2017-6074) has been discovered in the Linux kernel which allows unprivileged local users to execute arbitrary code in kernel mode. Combined with a remote code execution vulnerability, such as a vulnerability in a web application, this could potentially allow a remote attacker to take over the system. More technical details can be found on the Openwall website.
The vulnerability affects all recent versions of CentOS, Debian and Ubuntu.
Fixes are already available for all currently supported releases of these distributions, with the exception of CentOS 5. To update servers for our managed customers, all that is required is a reboot (as this is a kernel update, you are still vulnerable until you have rebooted) which we will perform within the 1am – 4am maintenance window. We will update CentOS 5 servers as and when a fix is released.
Please note that users of distributions that have reached the end of their support life (CentOS 4 and earlier, Debian 6 and earlier and any Ubuntu releases other than 12.04, 14.04, 16.04 and 16.10) are highly likely to be affected, but will not receive any security updates. We strongly recommend that users of such distributions upgrade as a matter of urgency.
If you are a self-managed or standard support customer and are unsure whether this vulnerability affects you, please raise a support ticket or call the team and a member of the support team will advise immediately. If a patch is required and you are not comfortable in patching the server yourself, we can do this for you as a chargeable one-off special request.
The CWCS Support Team