Overview
A vulnerability has been recently disclosed by Qualys that could result in a remote attacker being able to execute malicious instructions on vulnerable systems. The vulnerability affects Linux based operating systems.
This is better known as GHOST ‘glibc’ vulnerability (CVE-2015-0235): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
What is ShapeBlue Doing
ShapeBlue has analysed the impact of this issue on Apache CloudStack (ACS). The download template functionality provided by the SSVM to the end user puts it at risk. Since it is a linux issue all the Apache CloudStack versions are affected. An immediate fix would be to login into each SSVM and upgrade the glib package to the one that has the fix. This is a temporary solution as on a reboot the template falls back to the configured version. We have released an updated set of System VM Templates that have the fix applied as a permanent solution. It is recommended that all CloudStack operators update their System VM Templates to a patched version following the instructions below. It is also thought that this vulnerability affects commercial distributions of Apache CloudStack.
Virtual Appliance patching procedure
ShapeBlue has built new systemvm templates with glib fix for major CloudStack versions 4.3, 4.4 and 4.5 for XenServer, VMware and KVM hypervisors. We advise CloudStack users to upgrade to the latest systemvm templates using the following steps:
1. Register the new templates for all the hypervisors that you’re using in your CloudStack deployment. If you’re a CloudStack 4.3 user please use the settings in this table, 4.4 users please scroll down the page.
Name: systemvm-xenserver-4.3-ghost
Description: systemvm-xenserver-4.3-ghost
URL: http://packages.shapeblue.com/systemvmtemplate/4.3/systemvm64template-4.3-xen.vhd.bz2
Zone: Choose the zone where this hypervisor is used
Hypervisor: XenServer
Format: VHD
OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no
Name: systemvm-kvm-4.3-ghost
Description: systemvm-kvm-4.3-ghost
URL: http://packages.shapeblue.com/systemvmtemplate/4.3/systemvm64template-4.3-kvm.qcow2.bz2
Zone: Choose the zone where this hypervisor is used
Hypervisor: KVM
Format: QCOW2
OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no
Description: systemvm-vmware-4.3-ghost
URL: Coming Soon !!
Zone: Choose the zone where this hypervisor is used
Hypervisor: VMware
Format: OVAOS
Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no
Or, if you’re a CloudStack 4.4 user please use the following table:
Name: systemvm-xenserver-4.4-ghost
Description: systemvm-xenserver-4.4-ghost
URL: http://packages.shapeblue.com/systemvmtemplate/4.4/systemvm64template-4.4-xen.vhd.bz2
Zone: Choose the zone where this hypervisor is used
Hypervisor: XenServer
Format: VHD
OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no
Name: systemvm-kvm-4.4-ghost
Description: systemvm-kvm-4.4-ghost
URL: http://packages.shapeblue.com/systemvmtemplate/4.4/systemvm64template-4.4-kvm.qcow2.bz2
Zone: Choose the zone where this hypervisor is used
Hypervisor: KVM
Format: QCOW2
OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no
Description: systemvm-vmware-4.4-ghost
URL: Coming Soon !!
Zone: Choose the zone where this hypervisor is used
Hypervisor: VMware
Format: OVAOS
Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no
2. After registering the template, wait until the template gets downloaded and is installed. When the template is in READY state move to the next step.
3. Stop the cloudstack-management service all the management server(s) and take a backup of the database.
service cloudstack-management stop
4. Download ShapeBlue’s CloudStack SystemVM template upgrading tool for Ghost vulnerability:
wget http://packages.shapeblue.com/tools/ghost-systemvm-upgrader.py
5. This tool requires Python MySQLDB library, to install Python MySQLDB dependency run the following:
Debian based: apt-get install python-mysqldb
RHEL based: yum install MySQL-python
Or, Use pip:
Debian based: apt-get install build-essential python-dev libmysqlclient-dev
RHEL based: yum install mysql-devel python-devel
sudo pip install MySQL-python
6. Run this tool against your database, it will automatically find and upgrade the registered template:
python ghost-systemvm-upgrader.py -c <Major CloudStack version, 4.3 or 4.4> -i <IP of the database host> -d cloud -u <Database user name, cloud> -p <Database user password>
e.g. python ghost-systemvm-upgrader.py -c 4.4 -i 192.168.0.21 -d cloud -u cloud -p password
7. Finally, restart the CloudStack Management service on all management servers and then destroy all of the SystemVMs
service cloudstack-management start
Further information
For ShapeBlue support customers, please contact the support team for further information.
For other CloudStack users, please use the community mailing lists.
Rohit Yadav oversees the Software Engineering function at ShapeBlue, providing leadership and mentorship to our ever-growing Engineering Team. He has been a PMC member of the project since 2015. Rohit is the author & maintainer of the CloudStack CloudMonkey project and has been instrumental in the development of many of CloudStack’s flagship features. Rohit regularly speaks at events, focussing on developer access to the project, and has also mentored Google Summer of Code students.