Overview

A vulnerability has been recently disclosed by Qualys that could result in a remote attacker being able to execute malicious instructions on vulnerable systems. The vulnerability affects Linux based operating systems.

This is better known as GHOST ‘glibc’ vulnerability (CVE-2015-0235): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

What is ShapeBlue Doing

ShapeBlue has analysed the impact of this issue on Apache CloudStack (ACS).  The download template functionality provided by the SSVM to the end user puts it at risk. Since it is a linux issue all the Apache CloudStack versions are affected.  An immediate fix would be to login into each SSVM and upgrade the glib package to the one that has the fix.  This is a temporary solution as on a reboot the template falls back to the configured version.  We have released an updated set of System VM Templates that have the fix applied as a permanent solution.  It is recommended that all CloudStack operators update their System VM Templates to a patched version following the instructions below.  It is also thought that this vulnerability affects commercial distributions of Apache CloudStack.

Virtual Appliance patching procedure

ShapeBlue has built new systemvm templates with glib fix for major CloudStack versions 4.3, 4.4 and 4.5 for XenServer, VMware and KVM hypervisors. We advise CloudStack users to upgrade to the  latest systemvm templates using the following steps:

1.   Register the new templates for all the hypervisors that you’re using in your CloudStack deployment.  If you’re a CloudStack 4.3 user please use the settings in this table, 4.4 users please scroll down the page.

Hypervisor
Description for 4.3 Users
XenServer

Name: systemvm-xenserver-4.3-ghost
Description: systemvm-xenserver-4.3-ghost
URL: http://packages.shapeblue.com/systemvmtemplate/4.3/systemvm64template-4.3-xen.vhd.bz2
Zone: Choose the zone where this hypervisor is used
Hypervisor: XenServer
Format: VHD
OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no

KVM

Name: systemvm-kvm-4.3-ghost
Description: systemvm-kvm-4.3-ghost
URL: http://packages.shapeblue.com/systemvmtemplate/4.3/systemvm64template-4.3-kvm.qcow2.bz2
Zone: Choose the zone where this hypervisor is used
Hypervisor: KVM
Format: QCOW2
OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no

VMware
Name: systemvm-vmware-4.3-ghost
Description: systemvm-vmware-4.3-ghost
URL: Coming Soon !!
Zone: Choose the zone where this hypervisor is used
Hypervisor: VMware
Format: OVAOS
Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no

 

Or, if you’re a CloudStack 4.4 user please use the following table:

Hypervisor
Description for 4.4 Users
XenServer

Name: systemvm-xenserver-4.4-ghost
Description: systemvm-xenserver-4.4-ghost
URL: http://packages.shapeblue.com/systemvmtemplate/4.4/systemvm64template-4.4-xen.vhd.bz2
Zone: Choose the zone where this hypervisor is used
Hypervisor: XenServer
Format: VHD
OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no

KVM

Name: systemvm-kvm-4.4-ghost
Description: systemvm-kvm-4.4-ghost
URL: http://packages.shapeblue.com/systemvmtemplate/4.4/systemvm64template-4.4-kvm.qcow2.bz2
Zone: Choose the zone where this hypervisor is used
Hypervisor: KVM
Format: QCOW2
OS Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no

VMware
Name: systemvm-vmware-4.4-ghost
Description: systemvm-vmware-4.4-ghost
URL: Coming Soon !!
Zone: Choose the zone where this hypervisor is used
Hypervisor: VMware
Format: OVAOS
Type: Debian GNU/Linux 7.0 (64-bit) (or the highest Debian release number available in the dropdown)
Extractable: no
Password Enabled: no
Public: no
Featured: no
Routing: no

2.  After registering the template, wait until the template gets downloaded and is installed. When the template is in READY state move to the next step.

3.  Stop the cloudstack-management service all the management server(s) and take a backup of the database.

service cloudstack-management stop

4.  Download ShapeBlue’s CloudStack SystemVM template upgrading tool for Ghost vulnerability:

wget http://packages.shapeblue.com/tools/ghost-systemvm-upgrader.py

5. This tool requires Python MySQLDB library, to install Python MySQLDB dependency run the following:

Debian based: apt-get install python-mysqldb

RHEL based: yum install MySQL-python

Or, Use pip:

Debian based: apt-get install build-essential python-dev libmysqlclient-dev

RHEL based: yum install mysql-devel python-devel

sudo pip install MySQL-python

6.  Run this tool against your database, it will automatically find and upgrade the registered template:

python ghost-systemvm-upgrader.py -c <Major CloudStack version, 4.3 or 4.4> -i <IP of the database host> -d cloud -u <Database user name, cloud> -p <Database user password>

e.g.   python ghost-systemvm-upgrader.py -c 4.4 -i 192.168.0.21 -d cloud -u cloud -p password

7.  Finally, restart the CloudStack Management service on all management servers and then destroy all of the SystemVMs

 service cloudstack-management start

 

Further information

For ShapeBlue support customers, please contact the support team for further information.

For other CloudStack users, please use the community mailing lists.