info@unhackable.org Phone: +877 547 3638

legacy ksplice protection

 

Many years ago, Linux became the most used operating system for high powered web­ servers for good reasons. It’s secure, it’s robust, and it’s powerful. As Linux has progressed throughout the years, webmasters and server administrators have become complacent while the hackers became increasingly busy. The Linux kernel has received contributions from thousands of programmers over the years, and from time to time a hacker will find a vulnerability that can be exploited to trick the kernel into giving the hacker an unauthorized privilege escalation and ultimately compromising the machine. Recently, the most widely used exploit used by hackers was CVE-​2010 – 3301, which is estimated to have been used against more than 3,000,000 servers worldwide.
Several days after the discovery of this vulnerability and proof of concept release of a working exploit, Linux distribution vendors like Redhat/RHEL, Debian, Ubuntu and others were scrambling to fix the vulnerability, and release a patched kernel. The period between discovery and the actual release of a patch was excruciating for server administrators, hosting providers, and the Linux community in general. Hackers were having the time of their life underground. They were glued to their terminals, sacrificing sleep and not seeing daylight for days. Why? Because the only Linux servers on the planet that weren’t at their mercy were those protected by a technology called “KSplice“.
Ksplice is an extension of the Linux kernel which allows system administrators to apply security patches to a running kernel without having to reboot the operating system. Ksplice takes as input a unified diff and the original kernel source code, and it updates the running kernel in memory. Within hours after the discovery and release of the exploit, KSplice had released a hot fix which would render the exploit useless. This quickly proved to be invaluable, and those of us who had this technology were the only Linux administrators in the world to get any sleep over the following week. This incredible technology also caught the attention of a company called Oracle. And, on July 21, 2011, Oracle announced that it had acquired Ksplice.
Oracle also has interests in their own brand of Linux, an up and coming distribution that they decided will be the only one to have KSplice technology. That’s great for them, but not for the rest of the Linux community who already have a Linux version preference and have built dependencies around it.
And that’s where we come in. Unhackable Security‘s parent company KIRE, LLC is authorized to purchase an unlimited amount of KSplice licenses under a legacy agreement established prior to the acquisition. This allows us the unique ability to be able to offer our clients KSplice protection for ALL of your servers that run any of the following Linux versions:

Red Hat and CentOS

  • All CentOS and RHEL 6 kernels starting with with the official release
  • All CentOS and RHEL 5 non-Xen kernels starting with 2.6.18-92.1.22.el5
  • All CentOS and RHEL 5 Xen kernels starting with 2.6.18-128.1.14.el5xen
  • All CentOSPlus 5 non-Xen kernels starting with 2.6.18-92.1.22.el5.centos.plus
  • All CentOSPlus 5 Xen kernels starting with 2.6.18-128.1.14.el5.centos.plusxen
  • All CentOS and RHEL 4 non-Xen kernels starting with 2.6.9-67.EL
  • All CentOSPlus 4 “plus.c4” and “plus.c4smp” kernels starting with 2.6.9-78.0.8.EL

Virtuozzo and OpenVZ

  • All OpenVZ EL6 kernels starting with the official release
  • All OpenVZ EL5 non-Xen kernels starting with stab059.6 (released Nov. 14, 2008)
  • All OpenVZ EL5 Xen kernels starting with stab064.4 (released Aug. 9, 2009)
  • All Virtuozzo 4.7 “i686”, “x86_64”, and “ent” kernels starting with the official release
  • All Virtuozzo 4.0 and 4.6 “i686”, “x86_64”, and “ent” kernels starting with stab057.4
  • All Virtuozzo 3 “enterprise”, “entnosplit”, and “x86_64” SMP kernels starting with stab044.11

Debian

  • All Squeeze “686”, “amd64”, Xen, and OpenVZ kernels starting with the official release of Squeeze
  • All Lenny backports “686”, “686-bigmem”, and “amd64” kernels starting with the official release of Squeeze
  • All Lenny “686”, “amd64”, and “bigmem” kernels starting with the official release of Lenny
  • All Lenny Xen kernels starting with 2.6.26-17 (released June 21, 2009)
  • All Lenny OpenVZ kernels starting with 2.6.26-19 (released August 19, 2009)

Ubuntu

  • All 11.10 Oneiric kernels starting with the official release
  • All 11.04 Natty kernels starting with the official release
  • All 10.10 Maverick kernels starting with the official release
  • All 10.04 LTS Lucid kernels starting with the official release, except for unusual flavors (EC2, Preempt, RT)
  • All 8.04 LTS Hardy kernels starting with 2.6.24-24 (released Feb. 19, 2009), except for unusual flavors (Xen, OpenVZ, LPIA)

Fedora

  • All Fedora 16 kernels starting with the official release
  • All Fedora 15 kernels starting with the official release

CloudLinux

  • All CloudLinux 6 kernels starting with the official release
  • All CloudLinux 5 kernels starting with 2.6.18-264.15.1.el5.lve0.6.20 (released April 4, 2010)

Scientific Linux

  • All Scientific Linux 6 kernels starting with the official release
  • All Scientific Linux 5 kernels starting with 2.6.18-194.11.4.el5 (released Sept. 17, 2010)

 

Amazon EC2

Ksplice supports the Ubuntu 11.10 Oneiric, 11.04 Natty, and 10.10 Maverick EC2 kernels provided by
Canonical.

Amazon EC2 also now supports distribution stock Xen
kernels. See http://aws.amazon.com/articles/Amazon-EC2/3967
for details on using stock kernels in EC2.

 

Rackspace Cloud

Rackspace Cloud has experimental support for stock kernels, with
detailed instructions at
http://cloudservers.rackspacecloud.com/index.php/Using_a_Custom_Kernel_with_pv-grub.

Leave a Reply