How to Upgrade An Unsupported OS: An In-depth Checklist

Our April 2021 blog post is out. We’ve got lots to tell you about, so let’s get started. First up, we highlight UChecker, a tool that checks for vulnerable libraries in your Linux system. Next up is the monthly CVE report. This month, a 20-year-old vulnerability rears its ugly head, and a BPF code vulnerability reveals itself. Next, we’ve updated the KernelCare ePortal. This month we have a guest article about securing your non-commercial IoT devices. We also focus on two informative videos. Last but not least, CentOS AlmaLinux to receive CloudLinux support.

In this month’s update, we highlight CVEs that just won’t die. We’ve also published some critical information regarding live patching the Microsoft Azure IoT Hub with KernelCare IoT integrations. Additionally, we know many still love their old, unsupported distros. The KernelCare team presents an in-depth checklist on how to upgrade an unsupported OS. Keep reading for more details or watch a quick video recap.
.

We know that frequently updating Linux kernels is critical to the safety of cloud environments – kernels are, after all, a cybersecurity blind spot. But updating kernels is time-consuming and often requires a server restart which can disrupt services.

Cloud provisioning has steadily replaced locally hosted servers. It’s simply much faster, and often cheaper, to fire up cloud-hosted Linux VMs to handle workloads and to scale in response to demand.

There are currently a whole host of live patching tools on the market. Such options vary significantly in cost, with some significantly more affordable or expensive than others. Moreover, there are live patching tools that are more suitable for only one or two distributions, and then there are distribution-agnostic tools. So much variety can make it challenging to select the perfect option for your business.

Server live patching is an essential tool that reduces system downtime, lowers maintenance expenses, and enhances security. Initially introduced in 2008, live patching is an automatic system for applying kernel security patches that does not necessitate rebooting. This allows users to avoid any server compromisation or security vulnerabilities during a patch update. And with server configuration management tools, every server can be automatically updated at the same time, effectively eliminating a host of significant cybersecurity blindspots.

Before 2008, the only way to install new patches to Linux kernels was the yum update kernel command. It quickly became clear that those who use 24/7 servers would become annoyed by constant updates, as would the administrators who had to update hundreds of servers manually. The only solution for downtime was to delay the installation until the weekend, which gave hackers enough time to exploit vulnerabilities.

The commercial history of kernel live patching started with Ksplice. Nowadays, besides Linux kernels, Ksplice also releases patches for shared libraries and APIs. These patches can be applied live as long as they do not make changes to the data’s infrastructure. 

KernelCare is now available with a 15% discount as part of a package with CloudLinux’s extended lifecycle support (ELS)* for CentOS® 6. This KernelCare & CentOS® 6 ELS package provides security protection to organisations still running CentOS® 6 after November of 2020 when the OS reaches its end-of-life. 

Updating Linux kernels is a routine – as dull as taxes and only slightly less inconvenient than death. New security vulnerabilities in the Linux kernel seem to appear with tedious regularity and even get fancy names. In most but not all cases, the patches needed to fix them follow swiftly after. There is work involved in patching the kernel the latest Linux kernel security updates, and danger if you delay–leave it too long and bad actors might take advantage of the period of vulnerability.

A new CPU vulnerability known as SRBDS/CrossTalk was discovered in June 2020. The team at KernelCare is currently creating a patch to close it down. Let’s examine this new vulnerability, and explore what we’re doing to eliminate it.