CVE-2016-5195 a.k.a Dirty COW is a race condition that has been found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

One could find out more about CVE-2016-5195 from the MITRE CVE and NIST NVD dictionaries.

Additional information can also be found at RedHat and SuSE portals as well as at the dedicated web site.

Resolution

Fix on Axway appliances is available for Axway appliances platforms versions 7.0.0 and 7.0.1 running SLES 11 SP4 at Axway appliances repository.

All Axway appliances, running lower appliance platform version (say appliance platform version 6.7.1 on SLES 11 SP3 ) , must be upgraded in order to get the kernel fix for CVE-2016-5195.

Case A: Applying the fix for Axway appliances platforms versions 7.0.0 and 7.0.1

In order to download updates, Axway Appliances maintain offline list of repositories to connect to. This list is automatically created on Appliance Platform 6.7.1 and above. In case of changes however the repositories can be recreated. The first step is to remove all currently configured repositories:

1. Run:

rm -Rf /etc/zypp/repos.d/*.repo

2. Recreate the needed repositories:

# zypper addrepo --type rpm-md --name SLES-LATEST-UPDATES --no-gpgcheck --refresh --no-keep-packages http://appliance-repo.axway.com/os/sles11-sp4/updates SLES-LATEST-UPDATES
# zypper addrepo --type rpm-md --name SLES-HAE-LATEST-UPDATES --no-gpgcheck --refresh --no-keep-packages http://appliance-repo.axway.com/os/sles11-hae-sp4/updates SLES-HAE-LATEST-UPDATES

3. Install updates using zypper:

# zypper update

4. Reboot the appliance.

After updates installation and appliance reboot, invulnerable kernel version should be:

# uname -r
3.0.101-84-default

Detailed information on installing security updates on Axway Appliances from the Axway repositories with "zypper" is available in KB 177390.

Case B: Applying the fix for Axway appliances platform version 6.7.1

1. Login on the appliance as root . Check the appliance platform version:

#cat /etc/platform.conf | grep -i AP_VERSION
AP_VERSION=6.7.1

If the result is like the above, proceed with step 2 below:

2. Download the appliance platform OS upgrade package available at :

Appliance_Platform 7.0.1 UpgradePack1 from 6.7.1-7.0.0 (ap-x86-64)

3. Extract the archive in a temporary location on the appliance (say: /var/tmp/appliance_upgrade_binaries_to_app_version_7.0.1); stop ST services , make a full backup (tar.gz archive, consult KB 102186 for recommendations) of the existing ST instance (ST installation path including Axway installer).

#cd /var/tmp/appliance_upgrade_binaries_to_app_version_7.0.1
#unzip Appliance_Platform_7.0.1_UP1-from-6.7.1-7.0.0_ap-x86-64_BN12.tgz
#tar -xvf Appliance_Platform_7.0.1_UP1-from-6.7.1-7.0.0_ap-x86-64_BN12.tar

Sample is using the convention in the paragraph as well is assuming that /var/tmp/appliance_upgrade_binaries_to_app_version_7.0.1 directory has already been created and upgrade archive is present underneath it.

4. Run the OS upgrade script. It is recommended to execute upgrade script via terminal console (DRAC console, KVM or keyboard, mouse and monitor connected directly to the appliance) rather than shell session.

Sample is given from the the directory path, archive has been extracted into.

#./upgrade.sh

Sample is given from the the directory path, archive has been extracted into

Once the platform upgrade is complete, proceed and follow all the steps described in Case A.

Important Notice: In environments, running appliance platform 6.7.1 (SLES 11 SP3), with SAN attached via OCFS2 cluster configured using O2CB cluster service, OCFS2 cluster has to be reconfigured to use SuSE Linux Enterprise High Availability cluster with OCFS2 before upgrading to appliances platforms version 7.0.1 and applying kernel fix for CVE-2016-5195, as O2CB cluster service no longer functions properly on SLES 11 SP4 (used in appliances platforms versions 7.0.0 and 7.0.1).

Important Notice: Make sure to archive the SAN partition content on a safe location (different network share) before starting the setup of SuSE Linux Enterprise High Availability cluster with OCFS2 as during the process content in the SAN participation to be mounted will be deleted.

Case C: Applying the fix for Axway appliances prior to platform version 6.7.1

Axway appliances, with appliance platform versions lower than 6.7.1, have to be upgraded to appliance version 6.7.1 as an intermediate step before updating the appliance platform 7.0.1, where kernel fix for CVE-2016-5195 can be applied.

Respective links for appliance platform upgrade binaries to appliance platform version 6.7.1 are enclosed below :

Appliance_Platform 6.7.1 UpgradePack1 from 6.6.0-6.7.0 (ap-x86-64)

Appliance_Platform 6.7.1 UpgradePack1 from 6.0.0-6.5.x (ap-x86-64)

Appliance_Platform 6.7.1 UpgradePack1 from 4.6.0-5.3.x (ap-x86-64)

1. Login on the appliance as root. Check the appliance platform version :

#cat /etc/platform.conf | grep -i AP_VERSION

Depending on the result, download the correct appliance platform upgrade binary from the list above, move it to a temporary location , extract the archive and proceed with appliance platform upgrade to appliance platform version 6.7.1. Again it is recommended to execute upgrade script via terminal console (DRAC console, KVM or keyboard, mouse and monitor connected directly to the appliance) rather than shell session.

Once upgrade is successful proceed with steps under Case B