Security

Ubuntu Security Updates

Question: 

How do I apply Ubuntu security updates to my Stackato cluster?

Answer: 

Ubuntu Security Updates

Both the Stackato VM and the Docker base image used for application containers run Ubuntu. To maintain an up-to-date system with all known security patches in place, the VM and Docker base images should be updated with the following process whenever an important security update becomes available in the Ubuntu repositories.

Upgrade the Stackato VM

Run the following commands on all cluster nodes, one node at a time:

sudo apt-get update
sudo unattended-upgrades -d

If you are using a proxy you may need to export http_proxy and https_proxy environment variables. For example:

sudo sh -c "http_proxy=http://myproxy.example.com:3128 https_proxy=http://myproxy.example.com:3128 unattended-upgrades -d"

This will run the unattended-upgrades script to install all upgrades from the "-security" stream.

Each node should be rebooted after unattended-upgrades completes to ensure new kernels, modules, and libraries are loaded.

2.10 - Patch the LXC Container Template

Follow the process laid out in this previous FAQ:
http://community.activestate.com/node/10406

3.X - Upgrade the Docker image

The base Docker image used for application containers should also be upgraded once the VM is up-to-date. Perform the following steps on each DEA node in the cluster, one node at a time:

Create a new working directory:

mkdir ~/upgrade-alsek && cd $_

Create a Dockerfile. In this new directory, create a file called "Dockerfile" and add the following:

FROM stackato/stack-alsek
RUN apt-get update
RUN unattended-upgrades -d
RUN apt-get clean && apt-get autoremove

Build the docker image. Give the image a tag relevant to this particular upgrade (e.g. "upgrade-2014-09-19"):

sudo docker build -rm -t stackato/stack-alsek:upgrade-2014-09-19 .

The "." at the end is important. It specifies to use the Dockerfile in the current directory.

Tag the Docker image as the "latest" stack-alsek image:

sudo docker tag stackato/stack-alsek:upgrade-2014-09-19 stackato/stack-alsek:latest

All running applications will need to be restarted by their owners or Stackato admins (using the management console or the stackato client) in order for security upgrades to take effect within their application containers. You can check which image running apps are using by running docker ps on your DEAs (but do not use docker restart).

If you have DEA autoscaling enabled, be sure to also update the DEA template

For more information, see the Stackato documentation:
docs.stackato.com/admin/best-practices/index.html#ubuntu-security-updates

Heartbleed vulnerability and Stackato

Question: 

Is Stackato vulnerable to the Heartbleed bug? How can I patch Stackato?

Answer: 

Stackato is vulnerable to the Heartbleed bug. You can patch your system by running "kato patch install heartbleed-fix". This patch will install updated OpenSSL libraries on both the host VM and inside the container templates. Most apps won't need to be redeployed, but some may depending on the app and how SSL is used. We advise you test your app (see tools below) after applying the patch to determine if redeploying the app is necessary.

A patch is also available for Stackato 2.10.4 here:
https://get.stackato.com/patch/2.10/stackato-2.10.4-heartbleed.sh

If you have any questions please contact ActiveState support.

More info:

http://heartbleed.com/
http://filippo.io/Heartbleed/
https://gist.github.com/sh1n0b1/10100394
https://github.com/titanous/heartbleeder

Stackato 2.10.6 Ruby Security Patch

Question: 

I notice that ruby released a critical security update recently. Is stackato impacted by this?

Answer: 

Stackato is indeed affected by this. A patch has been generated and is available via 'kato patch'. As always this can be installed via 'kato patch status' followed by 'kato patch install.

Notes: This patch downloads a 50 MB tar file from our public download site, and will do so on every node in your cluster. This file will be removed once the patch is installed.

Additionally, this patch will restart EVERY role on EVERY node on your cluster as stackato makes significant use of ruby in a number of places. The outage shouldn't last more than a minute for each node though this might vary slightly depending on your IaaS solution.

Stackato 2.10.X NodeJS security fix v0.10.21

Question: 

I saw that NodeJS recently released a critical security patch. Is Stackato effected by this as it uses nodejs for the router component?

Answer: 

Yes, this vulnerability does impact Stackato. We have already generated a patch which will replace the existing Node version with their updated version.

###2.10.4
You can download the patch at http://get.stackato.com/patch/2.10/stackato-2.10.4-nodejs-security-fix.sh. This patch will need to be applied to any nodes running the 'router' role as well as your core role (which acts as a router). The patch can be applied via 'sh stackato-2.10.4-nodejs-security-fix.sh'. After applying this patch you should restart your router role by executing 'kato restart router'.

###2.10.6
This patch is available for 2.10.6 through the kato patch command. You will need to update your manifest via 'kato patch status', and you can install the patch after doing that by executing 'kato patch install'. This patch will require a sudo password, and you should note that it will restart your router.

Stackato 2.10.X Security Fix - container sudo fix

Question: 

Any recent security patches for Stackato?

Answer: 

We've generated a second patch that needs to be applied on top of the initial apt-get-wrapper patch to fix an issue that this was causing with unprivileged users in containers.

###2.10.4

First step is to install everything at http://community.activestate.com/node/10157. This will include http://get.stackato.com/patch/2.10/stackato-2.10.4-apt-get-wrapper.sh, which has an issue as described above. This can be corrected with the patch downloaded at http://get.stackato.com/patch/2.10/stackato-2.10.4-apt-get-wrapper-fix.sh. Patch instructions are to upload the patch to all nodes running 'DEA' or 'Stager' in your cluster and execute via 'sh stackato-2.10.4-apt-get-wrapper-fix.sh'. Upon doing this you should restart your stager and/or dea roles. Any future applications deployed will have this fix enabled.

###2.10.6

This patch is available via the kato patch command and can be installed by executing 'kato patch update' followed by 'kato patch install'.

Stackato 2.10.X-Security: Disable SSLv2 in Stackato

Question: 

I've noticed stackato allows communication via SSLv2 and I have some concerns about how secure that is. Is there any way to disable SSLv2?

Answer: 

We're aware of security concerns related to SSLv2, as discussed in http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security. To this end we've created a patch for stackato that replaces a package used by our routers and disables SSLv2.

##2.10.4
2.10.4 users can download this patch from http://get.stackato.com/patch/2.10/stackato-2.10.4-sslv2-disable.sh. This patch should be applied to (at least) all of the routers in the cluster. After uploading the patch to the affected nodes, install it via 'sh stackato-2.10.4-sslv2-disable.sh'.

After installing this patch, the router role will need to be restarted via 'kato restart router'. This will result in a brief interruption to router services, which will interrupt communication to your cluster for several seconds if your cluster has one router only.

*IMPORTANT NOTE* Edited in October 18, 2013: Due to a security fix with NodeJS, we've created basically a newer binary for this component. More information at http://community.activestate.com/node/10409, but you should note that this patch does not need to be installed anymore, and the patch in the above link will provide this functionality as well as providing a security fix. If you have already installed this patch, please install the patch linked above as well as it will overwrite the binary created here.

##2.10.6
This patch can be installed via kato patch. Execute 'kato patch update' to download the most recent list of patches. After this is finished, execute 'kato patch install' to install all patches. This will restart the router role on any node running that role, which will result in an interruption of service for several seconds if your cluster has one router only.

Stackato 2.10.X stackato-ssh security fix

Question: 

Are there any security patches for stackato-ssh?

Answer: 

We've identified a security vulnerability related to stackato-ssh that will require a patch to any nodes configured as either 'primary' or 'load balancer' for the cluster.

You can download the patch at http://get.stackato.com/patch/2.10/stackato-2.10.4-stackato-ssh-validati.... The patch will not interrupt any service and requires no restarts.

This patch is also available for 2.10.6 users via kato patch, and can be installed with 'kato patch install'.

Stackato 2.10.X Security Patches

Question: 

An assortment of security patches are available, we strongly recommend you apply them

Answer: 

## 2.10.4

Please apply the following patches **in this order** by executing the scripts
on each of your nodes. After applying the patches, please restart all
controller and stager roles by running "kato restart controller" and "kato
restart stager" on the nodes assigned to those roles.

http://get.stackato.com/patch/2.10/stackato-2.10.4-download-and-director...
http://get.stackato.com/patch/2.10/stackato-2.10.4-apt-get-wrapper.sh
http://get.stackato.com/patch/2.10/stackato-2.10.4-staging-use-apt-get-w...
http://get.stackato.com/patch/2.10/stackato-2.10.4-router-head-hpe.sh

After you have installed these patches, you should also install

http://get.stackato.com/patch/2.10/stackato-2.10.4-apt-get-wrapper-fix.sh

Which corrects an issue with apt-get-wrapper. Note that it is extremely important that this be installed AFTER apt-get-wrapper is installed, and that both will need to be installed for correct security.

## 2.10.6

Please apply an upgrade to the kato-patch system:

wget https://get.stackato.com/kato-patch/updates/2.10.6/kato-patch-5.sh
sh kato-patch-5.sh --target /s/kato/lib/kato/cli/cmd/patch/

Once kato-patch is upgraded, please run:

kato patch install --all

This will install all patches and update your system. This command will
automatically restart various roles as patches are applied and may interrupt
various services briefly. It will prompt for your password several times for
each node.

Stackato 2.10.X Security Fix - Stager credential validation

Question: 

Stackato Security Patch

Answer: 

The following patch needs to be applied to all stager and controller nodes:

https://get.stackato.com/patch/2.10/stackato-2.10.4-download-and-directo...

Copy the script to all affected nodes. You can run the patch via 'sh stackato-2.10.4-download-and-directory-traversal.sh'. After applying the patch you should restart the controller and/or stager roles via 'kato restart controller' and 'kato restart stager'.

This patch is also available for 2.10.6 users via kato patch, and can be installed with 'kato patch install'.

ActivePerl CVE-2012-5377 Insecure File Permissions Vulnerability

Question: 

We have read the Security alert for CVE-2012-5377, and would like more information.

Answer: 

This is not a new issue, and it's not really an ActivePerl issue. This vulnerability is a member of a class of vulnerabilities that apply to any software which needs to have a user-writable directory on $PATH. It has been a security concern on Windows for as long as software has been avoiding dll conflicts by using custom library paths.

It is already possible to mitigate the vulnerability by choosing to override the default install path and install to one of the various protected program files silos that newer versions of Windows offer. We don't do this as the default because ActivePerl has a long legacy of scripts and modules which do not handle spaces in the pathname.

It is also possible to migate the vulnerability on an inplace install. This powershell script will copy the permissions to the Perl directory (replace with your directory name, as installed):

powershell -command "(Get-Item 'C:\Program Files').GetAccessControl('Access') | set-acl 'C:\Perl'"

Be advised that protecting Perl from this vulnerability *will* result in reduced functionality. (Edited)
- Installing to a protected program files silo will mean you must have elevated privileges to use PPM or "CPAN" to install or update modules, and will mean that you will need to deal with any white space issues on your own. Use of modules will only be affected if the module design requires write access for the user.
- If you mitigate by using altered acls, you must have elevated privileges to use PPM or "CPAN" to install or update modules. Use of modules will only be affected if the module design requires write access for the user.

Powershell is included in Windows 7. With older versions, you may be able to download.