Monday 3rd April 2017

EMERGENCY MAINTENANCE - Tuesday 4th April 2017, 1am - 4am

We will be carrying out Emergency Maintenance work early tomorrow morning (Tuesday 4th April) within the 1am – 4am maintenance window. This will be widely customer affecting and is outlined below.

A vulnerability (CVE-2017-7184) has been discovered in the Linux kernel, which allows local users to escalate their privileges if the kernel has unprivileged user namespaces enabled. Combined with a remote code execution vulnerability, such as a vulnerability in a web application, this could potentially allow a remote attacker to take over the system. More technical details can be found on the Openwall website.

The vulnerability affects all recent versions of CentOS, Debian and Ubuntu, but only Ubuntu ships with a default configuration that allows the vulnerability to be exploited.

Fixes are already available for all currently supported releases of Ubuntu. For our managed customers using Ubuntu, we have installed the update for you and you have been sent a reboot request (as this is a kernel update, you are still vulnerable until you have rebooted). To update servers for our customers on shared platforms using Ubuntu, we have completed updates and we will perform server reboots within the 1am – 4am maintenance window. We will update CentOS and Debian servers as and when a fix is released but by default, unprivileged user namespaces are disabled.

Please note that users of distributions that have reached the end of their support life (any Ubuntu releases other than 12.04, 14.04, 16.04 and 16.10) are highly likely to be affected, but will not receive any security updates. We strongly recommend that users of such distributions upgrade as a matter of urgency.

If you are a self-managed or standard support customer and are unsure whether this vulnerability affects you, please raise a support ticket or call the team and a member of the support team will advise immediately. If a patch is required and you are not comfortable in patching the server yourself, we can do this for you as a chargeable one-off special request.

Regards

The CWCS Support Team