Forums

Home / Forums

You need to log in to create posts and topics. Login · Register

Security Issues with installed components

Pages: 1 2

neiltorda
98 Posts
October 15, 2020, 5:51 pm

I have recently installed a 3 node petasan cluster. We use Nexpose by Rapid7 to monitor our systems for security issues and it reports there are many security vulnerabilities with the current version of petasan as installed from the iso available here.

What are the options for updating the OS to keep it in compliance with security issues?

 

Thanks,

Neil

#1

admin
2,930 Posts
October 15, 2020, 8:47 pm

We do not setup an internal firewall, you can set it up yourself if needed. You can update the OS as in apt upgrade to install latest fixes.

#2

neiltorda
98 Posts
October 17, 2020, 4:44 pm

so i can just run:

apt update

and

apt upgrade

with no adverse effect on the system?

Neil

#3

admin
2,930 Posts
October 17, 2020, 6:51 pm

yes, please see our online upgrade guide

Last edited on October 17, 2020, 6:52 pm by admin · #4

neiltorda
98 Posts
October 17, 2020, 9:45 pm

Sorry, I don't think I was being clear in my question. I will try to rephrase.

I have a new installation of Petasan (less than a month old) that was built with the current iso from this site.
When I run:

dpkg -s petasan | grep Version
The resultant version is 2.6.2, so I am up to date on Petasan.

However, when we use our scanning tool to check for security vulnerabilities, it shows a lot of vulnerable versions of software, for example:

Ubuntu: USN-4400-1 (CVE-2019-3689): nfs-utils vulnerability
Ubuntu: USN-4458-1 (CVE-2020-11984): Apache HTTP Server vulnerabilities
Ubuntu: USN-4168-1 (CVE-2019-18224): Libidn2 vulnerabilities
Ubuntu: (Multiple Advisories) (CVE-2019-12900): ClamAV vulnerabilities
Ubuntu: (Multiple Advisories) (CVE-2019-8457): SQLite vulnerabilities
Ubuntu: (Multiple Advisories) (CVE-2019-9893): libseccomp vulnerability
Ubuntu: USN-4416-1 (CVE-2019-9169): GNU C Library vulnerabilities
Ubuntu: USN-4416-1 (CVE-2018-11236): GNU C Library vulnerabilities
Ubuntu: USN-4416-1 (CVE-2017-18269): GNU C Library vulnerabilities
Ubuntu: (Multiple Advisories) (CVE-2018-6485): GNU C Library vulnerabilities
Ubuntu: (Multiple Advisories) (CVE-2018-1126): procps-ng vulnerabilities
Ubuntu: USN-4108-1 (CVE-2019-11922): Zstandard vulnerability
Ubuntu: USN-4531-1 (CVE-2018-1000500): BusyBox vulnerability
Ubuntu: USN-4512-1 (CVE-2018-7738): util-linux vulnerability
Ubuntu: USN-4416-1 (CVE-2020-1751): GNU C Library vulnerabilities
Ubuntu: USN-4386-1 (CVE-2020-13790): libjpeg-turbo vulnerability
Ubuntu: USN-4458-1 (CVE-2020-1927): Apache HTTP Server vulnerabilities
Untrusted TLS/SSL server X.509 certificate
Ubuntu: (Multiple Advisories) (CVE-2020-10713): GRUB2 regression
Ubuntu: (Multiple Advisories) (CVE-2020-14309): GRUB2 regression
Ubuntu: (Multiple Advisories) (CVE-2020-12049): DBus vulnerability
Ubuntu: USN-4458-1 (CVE-2020-9490): Apache HTTP Server vulnerabilities
Ubuntu: USN-4428-1 (CVE-2019-20907): Python vulnerabilities
Ubuntu: USN-4394-1 (CVE-2020-11655): SQLite vulnerabilities
Ubuntu: USN-4428-1 (CVE-2019-9674): Python vulnerabilities
Ubuntu: USN-4394-1 (CVE-2019-19603): SQLite vulnerabilities
Ubuntu: USN-3999-1 (CVE-2019-3836): GnuTLS vulnerabilities
Ubuntu: USN-3999-1 (CVE-2019-3829): GnuTLS vulnerabilities
Ubuntu: USN-4563-1 (CVE-2019-8936): NTP vulnerability
Ubuntu: USN-4416-1 (CVE-2018-19591): GNU C Library vulnerabilities

I am not asking about updating Petasan, I am asking is it ok to run standard updates, or will that break petasan?

The online upgrade guide appears to just be talking about updating your version of Petasan, but I am asking about all the other packages that are installed, or are those tied to this particular version of Petasan?

 

 

#5

neiltorda
98 Posts
October 17, 2020, 10:02 pm

Follow up: When I run the command apt-get upgrade it tells me it will upgrade the following packages.

root@petasan1:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
 base-files bash bsdutils debconf dpkg e2fsprogs gcc-8-base gpgv grep libblkid1 libbz2-1.0
  libcom-err2 libdb5.3 libext2fs2 libfdisk1 libgcc1 libgcrypt20 libgnutls30 libidn2-0 libmount1
  libncurses5 libncursesw5 libpam-modules libpam-modules-bin libpam-runtime libpam0g libprocps6
  libseccomp2 libsmartcols1 libss2 libstdc++6 libtinfo5 libunistring2 libuuid1 libzstd1 login
  mount ncurses-base ncurses-bin passwd procps tar ubuntu-keyring util-linux

44 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Need to get 9,806 kB of archives.

After this operation, 69.6 kB of additional disk space will be used.

 

Is it ok to run these updates?
Should I put the system in maintenance to do so? (ie, turn off recover/rebalance/backfill/markout) Or do I only need to do that when rebooting nodes?

Do I need to run the rest of these commands if I am already on the current version of petasan per the online upgrade guide?

apt update
export DEBIAN_FRONTEND=noninteractive
apt -o Dpkg::Options::="--force-confdef" upgrade
apt install petasan

 

Last edited on October 17, 2020, 10:03 pm by neiltorda · #6

admin
2,930 Posts
October 17, 2020, 10:16 pm

Most of our packages are downloaded from Ubuntu, look at

/etc/apt/sources.list

They include updates and security fixes directly from Ubuntu. Also i can see some packages we do not ship like  nfs-utils, ClamAV so probably you installed them yourself from Ubuntu repos.

I am not sure what your tool does and whether it is tied to the Ubuntu repos or to some special external repo, in that case you may include it in /etc/apt/sources.list, however in case you do add external repositories it may cause conflicts since we only test using the standard repositories.

The online update guide is valid for all packages: packages we build as well as the bulk OS packages. Again they fetched from the standard repository source list.

Last edited on October 17, 2020, 10:17 pm by admin · #7

neiltorda
98 Posts
October 18, 2020, 1:19 am

Thanks so much… I ran updates and it seemed to work. Our vulnerabilities dropped from around 39k to 7k according to the tool we use to scan (Nexposé from Rapid7).

I appreciate the confirmation!

 

Neil

#8

neiltorda
98 Posts
July 13, 2021, 7:47 pm

Adding to this old post.. I upgraded Petasan to newest version over last weekend. All nodes are now on 2.8.0.

However, when we run our vulnerability scanning tool (Nexposé by Rapid7) i am told there is a Metasploit exploit that is trivial to execute for the sudo version installed.

sudo -V reports that the installed version is 1.8.21p2

According to the CVE report (https://ubuntu.com/security/notices/USN-4705-1) we should upgrade to version 1.8.21p2-3ubuntu1.4

However, running an apt update and apt upgrade state there is no newer version available and leaves me at just 1.8.21.p2

Is there a way to update Petasan to use the version Ubuntu reports as being patched for this exploit?

 

There are also quite a few exploits listed for the version of apache that is being installed / used with petasan (2.4.29) and it recommends that they be updated to 2.4.46. Is there a way to do this as well?

Last edited on July 13, 2021, 7:47 pm by neiltorda · #9

admin
2,930 Posts
July 13, 2021, 9:52 pm

what is the output of

dpkg -s sudo | grep Version

#10
Pages: 1 2