This short post lists the 10 main benefits of KernelCare.
A Linux kernel update is not to be taken lightly—change means risk. Whatever reasons you think you might have, there is really only one that matters. Igor Seletskiy, CEO of CloudLinux, tells you what it is in this blog post.
Linux kernel updates are a fact of life—as dull as taxes and only slightly less inconvenient than death. Newly discovered security vulnerabilities in the Linux kernel seem to appear with monotonous regularity. In most but not all cases, the patches needed to fix them follow swiftly after. There is work involved in installing the latest Linux kernel security patches, and danger if you delay—leave it too long and threat actors might take advantage of the period of vulnerability.
It is Fall in the Northern Hemisphere, and everyone’s out gazing into the clear dark skies when they should be indoors looking after their servers. Why?
Because yet another 10-year-old flaw has been found in the Linux kernel, this time in the create_elf_tables() function, that, when subject to an integer overflow condition, can allow root-level privileged code to run.
We’ve just published a Technical White Paper called KernelCare: Live Kernel Patching for Linux. It covers what KernelCare is, how it works and why you need it. We give an overview of setting up custom patch servers, both within and without firewalls, and we show what the patch management GUI looks like. We explain what delayed and sticky patches are, take a quick look at automating patch monitoring (through Nagios, Zabbix or the REST API) and show how to integrate with Rapid7 Nexpose.
It’s a great overview of KernelCare and a good, compact source of reference information. You can get a copy here.
UPDATE as of August 28th: UEK version 4 is now also supported!
If you are running the Unbreakable Enterprise Kernel (UEK), which is included as part of Oracle Linux, you already know that it is optimized for stability and security for enterprise cloud workloads. The UEK includes enhancements that benefit Oracle Database, middleware, applications and hardware. It is thoroughly tested and is recommended for all enterprise deployments. It powers the Oracle Cloud and the Oracle Engineered Systems.
Rebooting your servers hurts your customers and hurts you. It is often done deep in the night to minimize the impact on peak-time services. It forces downtime on you and your business. A server reboot can take 15 minutes or more to complete. It can take even longer for performance to stabilize and for you to confirm all services are running. Rebooting is not something you want to do often. But a reboot is the only way to apply patches for kernel security vulnerabilities.
Now there is KernelCare. It is a nifty solution for automatically updating Linux kernels without rebooting servers.
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in the EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
At Interop ITX 2018 in Las Vegas earlier this month, visitors had the chance to stop by the KernelCare booth, meet our team and talk about our rebootless and automated kernel security updates service. They also had a chance to participate in a raffle – every visitor had an option to receive an instant-win scratch card for a chance to win one of 7 totally awesome portable speakers. And in the end, they all earned additional ways to enter into a big giveaway to win Bose QuietComfort 35 (Series I) wireless headphones for trying out KernelCare, or simply engaging with us through our social media channels. And as always, purchasing KernelCare was not required.
A ptrace virtualization code to the debug registers has an incorrect error handling which was discovered by Andy Lutomirski and disclosed today (CVE-2018-1000199). This vulnerability can lead to corruption and DoS. In practice, if an illegal value is written, such as DR0, the internal state of the kernel’s breakpoint tracking can become corrupt even though the ptrace() call will return -EINVAL.