Learn how Oracle Ksplice helps secure critical Linux user space libraries

December 12, 2022 | 4 minute read
Gursewak Sokhi
Technical Product Manager - Oracle Linux & Virtualization
Text Size 100%:

With Linux systems being the backbone of enterprise IT infrastructure, it's essential to remain on guard and help shield them from the surging number of cyberattacks by patching both the kernel and user space. Not only is the Linux kernel targeted by security vulnerabilities, but key user spaces are in just as much danger. Oracle Ksplice remains at the forefront of helping defend your Linux systems, running on-premises or in the cloud, by updating them with the latest kernel, hypervisor, and critical user space libraries (glibc and openssl), all without a reboot. 

The ability to patch the kernel and user space libraries with Ksplice technology is not only available for Oracle Linux systems running on 64-bit Intel and AMD (x86-64) architecture but also on 64-bit Arm (aarch64). Oracle Linux 9, 8, and 7 are available on the 64-bit Arm platform. For on-premises, an ISO image which has been tested on Arm 64-bit hardware and is engineered for use with Ampere Altra and AltraMax based platforms can be used for standard installation on qualified hardware. In Oracle Cloud Infrastructure (OCI)Oracle Linux for Arm images are easily accessible and can be deployed within a few minutes on Ampere Altra Arm-based compute services from the OCI console.

Ksplice updates the supported Linux kernels in Oracle Linux, Red Hat Enterprise Linux (RHEL), CentOS Linux, and Ubuntu, with security patches. Ksplice is included with Oracle Linux Premier Support and available at no additional cost with OCI subscriptions.

Patching user space libraries 

The GNU C Library (glibc) is a crucial necessity for most Linux applications, delivering the fundamental routines for memory allocation, string handling, threading, and networking. Moreover, OpenSSL is widely used for secure communication across the internet, as it allows for SSL/TLS-related tasks and core cryptographic functions, such as private key generation and digital certificate creation. User space libraries allow common tasks to be optimized and play a significant role in the functionality of Linux systems; hence, Ksplice helps keep them secure with zero-downtime patching, avoiding the need for teams to schedule periodic shutdowns of applications and services. 

Recently, Oracle released openssl security updates for high severity vulnerabilities. With the release came fixed CVEs, such as CVE-2022-3602 and CVE-2022-3786, and respective updated openssl packages, preventing an attacker from creating a malicious email address by causing a buffer overflow. In addition to manually installing security updates on your system when they are available, with Ksplice for Oracle Linux, you have the ability to enable automatic installation. 

The Ksplice Enhanced Client, which features the ksplice command, allows you to quickly patch in-memory pages of the imperative shared libraries, glibc and openssl, for user space processes, in addition to patching the kernel, helping keep your Oracle Linux systems secure and compliant. 

Applying updates and patches with the Ksplice Enhanced Client

  1. If your Oracle Linux system does not have the Ksplice Enhanced Client installed, perform a streamlined installation by running the yum install ksplice command. Note: Users deploying Oracle Linux platform images in OCI, proceed directly to step 3, since both Ksplice and the enhanced client are already preinstalled for Oracle Linux deployments in OCI. 

    [root@oracle-linux-instance ~]# yum install ksplice
  2. Execute the yum update command to update the system to install the Ksplice-aware versions of the user space libraries. This command also updates all packages on the system, including packages on which they depend. If you would like to install only the user space libraries or update their respective packages, run yum update glibc* openssl*

    [root@oracle-linux-instance ~]# yum update
  3. Oracle recommends configuring automatic Ksplice updates. To enable the automatic installation of updates, enter autoinstall = yes, which will change the autoinstall field from no to yes in the /etc/uptrack/uptrack.conf file. 

    [root@oracle-linux-instance ~]# autoinstall = yes
  4. Perform a single reboot using the systemctl reboot command for the system to activate and use the newly installed Ksplice aware libraries.

    [root@oracle-linux-instance ~]# systemctl reboot
  5. This step is for users that chose not to enable auto installation of Ksplice updates in step 3. Moving forward, use the ksplice upgrade command to install patches or upgrades that are made available. With this command, you can upgrade your whole system or limit it only to specific subsystems (the kernel, user space, or Xen hypervisor) using the appropriate syntax: ksplice -y all | kernel | user | xen upgrade. For example, the following command patches the user space libraries:

    [root@oracle-linux-instance ~]# ksplice -y user upgrade

Automated hands-off patching with Oracle Autonomous Linux 

For OCI customers that prefer to keep their systems up to date at all times and not have to worry about being out of compliance, Oracle Autonomous Linux in OCI, delivers a hands-off approach. Based on Oracle Linux, Autonomous Linux leverages Ksplice technology and performs automatic patch updates daily (when updates are available) without the need of any human interaction, helping eliminate management complexity and human error. Ksplice is already installed and configured by default to run automatic updates in Autonomous Linux instances deployed in OCI, hence there is no further action required. Moreover, Autonomous Linux instances are integrated with Oracle OS Management Service, which provides automatic discovery of Autonomous Linux instances in OCI and a framework for managing and configuring them. For instance, OS Management Service offers you the ability to configure the daily update time for automatic updates and enables OCI notifications to retrieve results of updates performed.

Start leveraging Oracle Ksplice today

It's not just zero-downtime updates for the kernel and critical user space libraries that Ksplice offers. It also helps enhance security compliance with its Known Exploit Detection functionality. This feature is able to alert administrators of suspicious activities detected in your systems, for instance, when an attacker tries to exploit a security vulnerability that already has been patched. 
If you’re running Oracle Linux or RHEL deployments on-premises, you can try Oracle Ksplice with a 30-day free trial. If you're interested in trying Ksplice on OCI, you can sign up for Oracle Cloud Free Tier and also access a 30-day free trial. 

Additional Resources

Gursewak Sokhi

Technical Product Manager - Oracle Linux & Virtualization

Gursewak Sokhi is a Technical Product Manager for Oracle Linux and Virtualization. He holds a Computer Engineering B.S. with a concentration in Systems Programming, and a Mathematics and Economics B.A. from the University of California, Santa Cruz.

Connect with him on LinkedIn: www.linkedin.com/in/gursewaksokhi

Previous Post

Linux SLUB Allocator Internals and Debugging, Part 1 of 4

Imran Khan | 19 min read

Next Post

Still on CentOS Linux 7? Easily switch to Oracle Linux, a stable RHEL-compatible alternative

David Gilpin | 3 min read