How to Upgrade An Unsupported OS: An In-depth Checklist

The KernelCare Team is proud to announce the latest update to ePortal, its centralized management interface for KernelCare clients. It’s now at version 1.22-1, and it has some new features, namely the easier deployment of the KernelCare client, and some bug fixes.

CloudLinux Enterprise services have been growing steadily for years now. KernelCare, for example, was launched around 6 years ago as a live patching tool for the Linux Kernel. Since then we have added several useful integrations for vulnerability scanners, automation tools and others, and we also released KernelCare+ which adds live patching for OpenSSL and glibc shared libraries.

Last year we also added Extended Lifecycle Support services that let you continue to receive security updates for your systems that are past their original vendor’s End-of-Life date. So if you need more time to migrate to current versions of your distro we can continue to provide patches and updates up to four years past the EOL date.

The KernelCare team is proud to announce the release of KernelCare 2.43-2, bringing new features and bug fixes to the enterprise’s live patching tool of choice. This follows the recent update to ePortal, and signals KernelCare’s continued commitment to support and maintain this important and widely used enterprise tool, giving users the confidence to continue to depend on it for their live patching needs.

ePortal is KernelCare Enterprise’s solution for deployments where the machines that need to receive the updates have restricted internet access, serving as a central staging point of delivery for patches, thus reducing exposure of internal resources to outside access.

The KernelCare team is proud to announce the release of ePortal 1.21-1, with many UI improvements and often requested functionality added. One such feature is the ability to control and receive only patches for a specific subset of KernelCare’s supported list of distributions, for example for environments where only one or two different distributions are used. 

Another vulnerability targeting the BPF subsystem has been disclosed publicly in the past few days (CVE-2021-29154). It allows users on a system running non-default configuration of the BPF subsystem to run specially crafted code as a BPF filter and run arbitrary executable code in the kernel context. 

According to vendors, it affects all distributions running kernels up to version 5.11.12. Distribution vendors are starting to deliver patches through their update mechanisms, and KernelCare is also finalizing patches for it’s rebootless patching process to address this issue.

When you see so many vulnerabilities being reported and so many security-related issues being exploited, you may think to yourself “I’m lucky not to be using that package or software, I’m not vulnerable to this”. 

We’ve covered brand new Linux kernel vulnerabilities in a few of our past articles, but in this article we’ll take a look at a vulnerability that’s been re-listed accidentally. Both reports – the erroneous relisting, and the original listing – point to a vulnerability in Linux kernel memory mapping where a race condition can develop when a memory expansion function is used.

We’ll cover the vulnerability as it stands. But we’ll also look at a key issue revealed by the double listing: if security experts can so easily lose sight of an existing vulnerability to the extent that a vulnerability is relisted as “new” and “just discovered” – what does it say about the state of vulnerability management?

And what does it mean for Linux users around the globe, vulnerable to countless offensive strategies – but dependent on the security experts for assistance?

KernelCare added support for AlmaLinux OS. This new linux distribution is a community driven project that intends to fill the gap left by the change in direction of CentOS, in terms of stability and support. It is a stable enterprise-grade server OS, with long support windows. Forever free and open-source, AlmaLinux OS is backed by CloudLinux and has a growing community gathering around it, helping guide it's direction and strategy. Alma means soul in some latin-based languages and the name aims to celebrate the soul of linux - it’s users and community.

Linux vulnerabilities pile up. Year in, year out. You could say it’s inevitable really, given today’s complex computing environment. It is nonetheless frustrating when the same critical elements of the Linux OS kernel continue to surface as a vulnerable area.

Up to and including 2020, there are fourteen listed CVEs that cover the Linux futex implementation. Granted, futexes are formidably complex. Though futexes provide essential functionality, futexes are often not clearly understood, and some might argue that vulnerabilities are inevitable given the complexity of futex implementation.

Unfortunately, at the end of January 2021, another Linux kernel vulnerability that involves futex mishandling emerged. Worse, it involves a dangerous use-after-free vulnerability.

There’s little question that the technology world is changing quickly. 2020 was a great accelerator in many ways, with the pandemic leading to rapid changes in working habits and the structure of consumer demand.