Monday Nov 02, 2015

New Userspace Patching with Oracle Ksplice!

Last week, Larry Ellison introduced userspace patching with Oracle Ksplice. This is a groundbreaking addition to the already extensive capabilities of Ksplice, giving administrators the tools they need to cope with security threats and other issues without impacting running systems.

If you're unfamiliar with Ksplice, it provides zero-downtime patching (also known as “live patching") for Linux. With Ksplice, updates and errata (CVEs, etc.) can be applied to running systems without restarting applications or rebooting. This is a boon for organizations since scheduling downtime across a server farm is a significant event, and many companies using a variety of operating systems only perform patches periodically in a regular cycle. But being able to apply critical updates immediately–or remove them, if necessary–without impacting servers even under heavy load allows administrators to reduce the window of vulnerability for security issues to the bare minimum, making systems more secure. A fantastic primer on Ksplice can be found in Wim Coekaerts' blog post The Magic of Ksplice.

While Ksplice has been a great tool for applying patches without downtime, it has been focused exclusively on kernel patches. That is, until last week with the announcement of userspace patching for Ksplice.

Why is userspace patching important? Well, patching the kernel as Ksplice has done for years solves a number of issues. It lets you patch security vulnerabilities at the kernel level, it allows you to apply patches to do diagnostics, and so on. But applications rely on services available above the kernel (in “userspace”) to do many of their tasks. For example, glibc, the GNU C Library, is the standard C and C++ library used by applications on Linux. And OpenSSL provides secure networking services for applications so applications don’t have to implement these features from scratch. But patching the kernel doesn’t help with changes that need to be made in these system wide libraries.

These standard libraries are very useful because they allow the community to optimize and standardize on how common tasks are accomplished. But since they are used by so many applications, a flaw in one of these libraries creates widespread exposure. Just such an exposure happened with the Heartbleed Bug, where an issue with OpenSSL left thousands of servers at risk.

With userspace patching in Ksplice, Oracle can now provide you with the tools to patch these userspace libraries without downtime. At Oracle OpenWorld last week, we were showing attendees in the Oracle Linux, Oracle VM, and OpenStack Showcase how we can apply userspace patches for the Ghost and Heartbleed vulnerabilities, check that the systems were indeed secured, and then roll those patches back to their unsecured state, all in a couple of minutes and without stopping running applications. This is the power of the new userspace feature of Ksplice. In this first release of userspace patching, the focus is on glibc and OpenSSL since this will cover many of the security related issues customers will run into. 

With the addition of userspace patching, a great tool just got even better. Ksplice can now patch the running Linux kernel and also patch userspace glibc and OpenSSL without downtime. Userspace patching is a huge development in zero-downtime patching, and another tool in the toolbox for administrators needing to cope with critical updates. This brings the magic of Ksplice from the kernel up to userspace, making your systems safer.

Userspace patching for Ksplice is available now in the enhanced Ksplice client for customers with Oracle Linux Premier Support. You can read about it in the latest Ksplice documentation and when you’re ready to try it out, you can enable it on the Unbreakable Linux Network and install it on your systems.

Wednesday Jun 13, 2012

Important glibc Bug Fix Update for Oracle Linux 6 on Intel Systems with AVX Instruction Support

If you run Oracle products on Oracle Linux 6 (or RHEL 6) on Intel-based hardware that supports the Intel Advanced Vector Extensions (AVX), you may encounter illegal instruction errors (SIGILL) that prevent the correct operation of Oracle Database, Fusion Middleware and other applications (both Oracle and third party applications).  It is recommended you install this glibc bug fix update: ELBA-2012-2019.  

 To verify whether your system supports AVX, look for avx in the output of:

# cat /proc/cpuinfo
The updated glibc RPM is available from ULN and from  For more information, see this Oracle Linux Errata notification: ELBA-2012-2019 Oracle Linux 6 glibc bug fix update.  To subscribe to Oracle Linux errata notifications via email, go here.  You can also stay on top of Oracle Linux errata via Twitter: @orcl_uln

Get the latest updates on strategy, products, events, news, customers, partners and all things Oracle Linux! Connect with Oracle's Linux experts.

Stay Connected




« December 2015