Monday Apr 04, 2016

Announcing New Features for Ksplice

Offline Support for userspace patching is now available in Ksplice.

For customers hosting their own yum repositories, or those with restricted access to outside update channels, you can now integrate Ksplice userspace patches into your existing offline Ksplice patching procedures.  This expands the initial support with online patching capabilities and provides the maximum flexibility and choice for customers managing critical updates.

If you have wanted to use Ksplice for userspace but were restricted by the online service, you are now able to take full advantage of all the services and features available.

 Let us know what you think. 

Friday Feb 19, 2016

FRIDAY SPOTLIGHT: CVE-2015-7547 - Ksplice solves glibc flaw with zero-downtime and no disruptions

This week we have seen a new vulnerability making the rounds involving glibc. The issue at hand involves a couple of libraries (libresolv and libnss_dns), which are used commonly with tasks like DNS lookups. Using the function getaddrinfo() could generate a stack buffer overflow with larger replies, which in turn could be used maliciously to trigger an exploit through attacker-controlled domain names, attacker-controlled DNS servers or man-in-the-middle attacks.

The glibc upstream project released a patch for this issue and most distributions (including Oracle Linux) have released updated glibc packages containing this fix.  Since glibc is a core system library that is used by almost every application on a system, updates to the package typically require restarting applications and best practices would suggest a system reboot.  

Oracle Linux customers with premier support have the advantage of our Ksplice services, which makes it possible to install both kernel and user space updates without the need to restart applications or reboot the system.  If you would like more information about Ksplice and Oracle Linux, please visit our website.

Monday Nov 02, 2015

New Userspace Patching with Oracle Ksplice!

Last week, Larry Ellison introduced userspace patching with Oracle Ksplice. This is a groundbreaking addition to the already extensive capabilities of Ksplice, giving administrators the tools they need to cope with security threats and other issues without impacting running systems.

If you're unfamiliar with Ksplice, it provides zero-downtime patching (also known as “live patching") for Linux. With Ksplice, updates and errata (CVEs, etc.) can be applied to running systems without restarting applications or rebooting. This is a boon for organizations since scheduling downtime across a server farm is a significant event, and many companies using a variety of operating systems only perform patches periodically in a regular cycle. But being able to apply critical updates immediately–or remove them, if necessary–without impacting servers even under heavy load allows administrators to reduce the window of vulnerability for security issues to the bare minimum, making systems more secure. A fantastic primer on Ksplice can be found in Wim Coekaerts' blog post The Magic of Ksplice.

While Ksplice has been a great tool for applying patches without downtime, it has been focused exclusively on kernel patches. That is, until last week with the announcement of userspace patching for Ksplice.

Why is userspace patching important? Well, patching the kernel as Ksplice has done for years solves a number of issues. It lets you patch security vulnerabilities at the kernel level, it allows you to apply patches to do diagnostics, and so on. But applications rely on services available above the kernel (in “userspace”) to do many of their tasks. For example, glibc, the GNU C Library, is the standard C and C++ library used by applications on Linux. And OpenSSL provides secure networking services for applications so applications don’t have to implement these features from scratch. But patching the kernel doesn’t help with changes that need to be made in these system wide libraries.

These standard libraries are very useful because they allow the community to optimize and standardize on how common tasks are accomplished. But since they are used by so many applications, a flaw in one of these libraries creates widespread exposure. Just such an exposure happened with the Heartbleed Bug, where an issue with OpenSSL left thousands of servers at risk.

With userspace patching in Ksplice, Oracle can now provide you with the tools to patch these userspace libraries without downtime. At Oracle OpenWorld last week, we were showing attendees in the Oracle Linux, Oracle VM, and OpenStack Showcase how we can apply userspace patches for the Ghost and Heartbleed vulnerabilities, check that the systems were indeed secured, and then roll those patches back to their unsecured state, all in a couple of minutes and without stopping running applications. This is the power of the new userspace feature of Ksplice. In this first release of userspace patching, the focus is on glibc and OpenSSL since this will cover many of the security related issues customers will run into. 

With the addition of userspace patching, a great tool just got even better. Ksplice can now patch the running Linux kernel and also patch userspace glibc and OpenSSL without downtime. Userspace patching is a huge development in zero-downtime patching, and another tool in the toolbox for administrators needing to cope with critical updates. This brings the magic of Ksplice from the kernel up to userspace, making your systems safer.

Userspace patching for Ksplice is available now in the enhanced Ksplice client for customers with Oracle Linux Premier Support. You can read about it in the latest Ksplice documentation and when you’re ready to try it out, you can enable it on the Unbreakable Linux Network and install it on your systems.

Wednesday Jun 13, 2012

Important glibc Bug Fix Update for Oracle Linux 6 on Intel Systems with AVX Instruction Support

If you run Oracle products on Oracle Linux 6 (or RHEL 6) on Intel-based hardware that supports the Intel Advanced Vector Extensions (AVX), you may encounter illegal instruction errors (SIGILL) that prevent the correct operation of Oracle Database, Fusion Middleware and other applications (both Oracle and third party applications).  It is recommended you install this glibc bug fix update: ELBA-2012-2019.  

 To verify whether your system supports AVX, look for avx in the output of:

# cat /proc/cpuinfo
The updated glibc RPM is available from ULN and from public-yum.oracle.com.  For more information, see this Oracle Linux Errata notification: ELBA-2012-2019 Oracle Linux 6 glibc bug fix update.  To subscribe to Oracle Linux errata notifications via email, go here.  You can also stay on top of Oracle Linux errata via Twitter: @orcl_uln
About

Get the latest updates on strategy, products, events, news, customers, partners and all things Oracle Linux! Connect with Oracle's Linux experts.

Stay Connected

Twitter


Facebook

Search

Archives
« May 2016
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today