Oracle Linux and Ksplice - the Linux distribution with minimal downtime

The recent Dirty COW vulnerability (CVE-2016-5195) highlighted the need for zero-downtime updates - this was a vulnerability that has been present in the Linux kernel for many years, was actively being exploited and could result in a system being easily compromised.  The traditional means of closing this vulnerability would be to install a new kernel and reboot it, but new kernels take time to release, and the disruption of rebooting and the time spent to roll this out across...

Friday, November 4, 2016 | Ksplice | Read More

CVE-2016-5195/Dirty COW and Ksplice

Last week a serious Linux kernel vulnerability, CVE-2016-5195, nicknamed Dirty COW was announced.  This was a longstanding bug and affected most kernels that are running and was actively being exploited to escalate privileges on real Linux systems.  As soon as the bug was disclosed and the patch was released, the Ksplice team were quickly building and testing zero-downtime updates for over 5,000 supported kernels, in many cases making the fix available as a Ksplice update...

Monday, October 24, 2016 | Ksplice | Read More

Fixing Security Vulnerabilities in Linux

Security vulnerabilities are some of the hardest bugs to discover yet they can have the largest impact. At Ksplice, we spend a lot of time looking at security vulnerabilities and seeing how they are fixed. We use automated tools such as the Trinity syscall fuzzer and the Kernel Address Sanitizer (KASan) to aid our process. In this blog post we'll go over some case studies of recent vulnerabilities and show you how you can avoid them in your code. CVE-2013-7339 and CVE-2014-267...

Wednesday, July 22, 2015 | Ksplice | Read More

Ksplice SNMP Plugin

The Ksplice team is happy to announce the release of an SNMP plugin for Ksplice, available today on the Unbreakable Linux Network. The plugin will let you use Oracle Enterprise Manager to monitor the status of Ksplice on all of your systems, but it will also work with any monitoring solution that is SNMP compatible. Installation You'll find the plugin on Ksplice channel for your distribution and architecture. For Oracle Linux 6 on x86_64 that's ol6_x86_64_ksplice. Install the...

Wednesday, January 29, 2014 | Ksplice | Read More

Best Practice: Ksplice Deployment

Ksplice is designed to work in many different computing environments. Because upgrading the kernel on any running system is a hassle, we want you to be able to deploy Ksplice as widely as possible. As a consequence of this, there are a number of ways to set up a Ksplice installation for your Oracle Linux infrastructure. As the first part of a series of articles on Ksplice best practices, we've published a guide to deploying Ksplice on the Oracle Technology Network. This guide...

Monday, October 14, 2013 | Ksplice | Read More

CVE-2013-2224: Denial of service in sendmsg().

In September 2012, CVE-2012-3552 was reported which could allow an attacker to corrupt slab memory which could lead to a denial-of-service or possible privilege escalation depending on the target machine workload.  This bug had originally been fixed in the mainline kernel in April 2011 and was a fairly large patch for a security fix.  The RedHat backport for this fix introduced a new bug which has been assigned CVE-2013-2224 which again could allow for a denial-of-service or...

Thursday, August 8, 2013 | Ksplice | Read More

CVE-2013-2850: Remote heap buffer overflow in iSCSI target subsystem.

We have just released a rebootless update to deal with a critical security vulnerability: CVE-2013-2850: Remote heap buffer overflow in iSCSI target subsystem.If an iSCSI target is configured and listening on the network, a remoteattacker can corrupt heap memory, and gain kernel execution control overthe system and gain kernel code execution. As this vulnerability is exploitable by remote users, Ksplice is issuing an update for all affected kernels immediately. This update was...

Friday, May 31, 2013 | Ksplice | Read More

Ksplice update for CVE-2013-2094

This is a 0-day local privilege escalation found by Tommi Rantala while fuzzing the kernel using Trinity. The cause of that oops was patched in 3.8.10 in commit 8176cced706b5e5d15887584150764894e94e02f. 'spender' on Reddit has an interesting writeup on the details of this exploit. We've already shipped this for Fedora 17 and 18 for the 3.8 kernel, and an update for Ubuntu 13.04 will ship as soon as Canonical releases their kernel. We have a policy of only shipping updates that...

Wednesday, May 15, 2013 | Ksplice | Read More

Ksplice Inspector

With so many kernel updates released, it can be difficult to keep track. At Oracle, we monitor kernels on a daily basis and provide bug and security updates administrators can apply without a system reboot. To help out, the Ksplice team at Oracle has produced the Ksplice Inspector, a web tool to show you the updates Ksplice can apply to your kernel with zero downtime. The Ksplice Inspector is freely available to everyone. If you're running any Ksplice supported kernel, whether...

Tuesday, April 2, 2013 | Ksplice | Read More

Introducing RedPatch

The Ksplice team is happy to announce the public availability of one of our git repositories, RedPatch. RedPatch contains the source for all of the changes Red Hat makes to their kernel, one commit per fix and we've published it on oss.oracle.com/git. With RedPatch, you can access the broken-out patches using git, browse them online via gitweb, and freely redistribute the source under the terms of the GPL. This is the same policy we provide for Oracle Linux and the Unbreakable...

Friday, November 9, 2012 | Ksplice | Read More

The Ksplice Pointer Challenge

Back when Ksplice was just a research project at MIT, we all spent a lot of time around the student computing group, SIPB. While there, several precocious undergrads kept talking about how excited they were to take 6.828, MIT's operating systems class. "You really need to understand pointers for this class," we cautioned them. "Reread K&R Chapter 5, again." Of course, they insisted that they understood pointers and didn't need to. So we devised a test. Ladies and gentlemen, I...

Tuesday, October 18, 2011 | programming | Read More

Building a physical CPU load meter

I built this analog CPU load meter for my dev workstation: All I did was drill a few holes into the CPU and probe the power supply lines...     Okay, I lied. This is actually a fun project that would make a great intro to embedded electronics, or a quick afternoon hack for someone with a bit of experience. The parts The main components are: Current meter: I got this at MIT Swapfest. The scale printed on the face is misleading: the meter itself measures only about 600 microamps in...

Monday, June 27, 2011 | fun | Read More

Improving your social life with git

I've used RCS, CVS, Subversion, and Perforce. Then I discovered distributed version control systems. Specifically, I discovered git. Lightweight branching? Clean histories? And you can work offline? It seemed to be too good to be true.But one important question remained unanswered: Can git help improve my social life? Today, we present to you the astonishing results: why yes, yes it can. Introducing gitionary. The brainchild of Liz Denys and Nelson Elhage, it's what you get...

Saturday, May 7, 2011 | fun | Read More

Security Advisory: Plumber Injection Attack in Bowser's Castle

Advisory Name: Plumber Injection Attack in Bowser's Castle Release Date: 2011-04-01 Application: Bowser's Castle Affected Versions: Super Mario Bros., Super Mario Bros.: The Lost Levels Identifier: SMB-1985-0001 Advisory URL: https://blogs.oracle.com/ksplice/entry/security_advisory_plumber_injection_attack Vulnerability Overview Multiple versions of Bowser's Castle are vulnerable to a plumber injection attack. An Italian plumber could exploit this bug to bypass security measures(walk...

Thursday, March 31, 2011 | security | Read More

disown, zombie children, and the uninterruptible sleep

It's the end of the day on Friday. On your laptop, in an ssh session on a work machine, you check on long.sh, which has been running all day and has another 8 or 9 hours to go. You start to close your laptop. You freeze for a second and groan. This was supposed to be running under a screen session. You know that if you kill the ssh connection, that'll also kill long.sh. What are you going to do? Leave your laptop for the weekend? Kill the job, losing the last 8 hours of work? You...

Wednesday, March 16, 2011 | system-administration | Read More

Mapping your network with nmap

If you run a computer network, be it home WiFi or a global enterprise system, you need a way to investigate the machines connected to your network. When ping and traceroute won't cut it, you need a port scanner. nmap is the port scanner. It's a powerful, sophisticated tool, not to mention a movie star. The documentation on nmap is voluminous: there's an entire book, with a free online edition, as well as a detailed manpage. In this post I'll show you just a few of the cool...

Monday, February 21, 2011 | security | Read More

Happy Birthday Ksplice Uptrack!

One year ago, we announced the general availability of Ksplice Uptrack, a subscription service for rebootless kernel updates on Linux. Since then, a lot has happened! Adoption Over 600 companies have deployed Ksplice Uptrack on more than 100,000 production systems, on all 7 continents (Antarctica was the last hold-out). More than 2 million rebootless updates have been installed! You see the greatest system administration time and cost savings when you use Ksplice Uptrack on all...

Tuesday, February 15, 2011 | Ksplice | Read More

8 gdb tricks you should know

Despite its age, gdb remains an amazingly versatile and flexible tool, and mastering it can save you huge amounts of time when trying to debug problems in your code. In this post, I'll share 10 tips and tricks for using GDB to debug most efficiently. I'll be using the Linux kernel for examples throughout this post, not because these examples are necessarily realistic, but because it's a large C codebase that I know and that anyone can download and take a look at. Don't worry...

Monday, January 24, 2011 | programming | Read More

Coffee shop Internet access

How does coffee shop Internet access work? You pull out your laptop and type http://www.google.com into the URL bar on your browser. Instead of your friendly search box, you get a page where you pay money or maybe watch an advertisement, agree to some terms of service, and are only then free to browse the web. What is going on behind the scenes to give the coffee shop that kind of control over your packets? Let's trace an example of that process from first broadcast to last...

Monday, January 17, 2011 | networking | Read More

Solving problems with proc

The Linux kernel exposes a wealth of information through the proc special filesystem. It's not hard to find an encyclopedic reference about proc. In this article I'll take a different approach: we'll see how proc tricks can solve a number of real-world problems. All of these tricks should work on a recent Linux kernel, though some will fail on older systems like RHEL version 4. Almost all Linux systems will have the proc filesystem mounted at /proc. If you look inside...

Monday, January 10, 2011 | system-administration | Read More

Hosting backdoors in hardware

Have you ever had a machine get compromised? What did you do? Did you run rootkit checkers and reboot? Did you restore from backups or wipe and reinstall the machines, to remove any potential backdoors? In some cases, that may not be enough. In this blog post, we're going to describe how we can gain full control of someone's machine by giving them a piece of hardware which they install into their computer. The backdoor won't leave any trace on the disk, so it won't be...

Tuesday, October 26, 2010 | security | Read More

Anatomy of a Debian package

Ever wondered what a .deb file actually is? How is it put together, and what's inside it, besides the data that is installed to your system when you install the package? Today we're going to break out our sysadmin's toolbox and find out. (While we could just turn to deb(5), that would ruin the fun.) You'll need a Debian-based system to play along. Ubuntu and other derivatives should work just fine.     Finding a file to look at Whenever APT downloads a package to install, it...

Wednesday, October 6, 2010 | system-administration | Read More

Hijacking HTTP traffic on your home subnet using ARP and iptables

Let's talk about how to hijack HTTP traffic on your home subnet using ARP and iptables. It's an easy and fun way to harass your friends, family, or flatmates while exploring the networking protocols. Please don't experiment with this outside of a subnet under your control -- it's against the law and it might be hard to get things back to their normal state. The setup Significant other comes home from work. SO pulls out laptop and tries to catch up on social media like every...

Wednesday, September 29, 2010 | networking | Read More

Anatomy of an exploit: CVE-2010-3081

It has been an exciting week for most people running 64-bit Linux systems. Shortly after "Ac1dB1tch3z" released his or her exploit of the vulnerability known as CVE-2010-3081, we saw this exploit aggressively compromising machines, with reports of compromises all over the hosting industry and many machines using our diagnostic tool and testing positive for the backdoors left by the exploit. The talk around the exploit has mostly been panic and mitigation, though, so now that...

Wednesday, September 22, 2010 | security | Read More

CVE-2010-3081

Hi. I'm the original developer of Ksplice and the CEO of the company. Today is one of those days that reminds me why I created Ksplice. I'm writing this blog post to provide some information and assistance to anyone affected by the recent Linux kernel vulnerability CVE-2010-3081, which unfortunately is just about everyone running 64-bit Linux. To make matters worse, in the last day we've received many reports of people attacking production systems using an exploit for this...

Friday, September 17, 2010 | system-administration | Read More

Debugging shared library problems: a real-world example

There are few things I am less happy to see when trying to get some work done than something like: $ python >>> import pycurl Fatal Python error: pycurl: libcurl link-time version is older than compile-time version Aborted "link-time" + "compile-time" + one library using another and something is broken = some kind of shared library problem. Debugging shared library problems = Nooooo I just wanted to write some code.* But I don't have anyone to pawn this off on, and this...

Wednesday, September 8, 2010 | Ksplice | Read More

Ksplice for Fedora!

In response to many requests, Ksplice is proud to announce we're now providing Uptrack free of charge for Fedora! Fedora will join Ubuntu Desktop among our free platforms, and will give Fedora users rebootless updates as long as Fedora maintains each major kernel release.However, of note: Fedora is the only Linux distribution that migrates to a new Linux kernel version family (e.g. 2.6.33 to 2.6.34) during the lifetime of the product. This kernel version family migration is...

Tuesday, August 31, 2010 | Ksplice | Read More

Essay: 3G and me

In 2002, I got my first cell phone. June was stuffy in Manhattan, and my summer internship copy-editing the New York Sun, the now-defunct right-wing newspaper, was just about to start. I swam through the humid air past Madison Square Park to get to the store before closing. "You want this one," said the salesman at the RadioShack, pointing to a sleek model then on sale. "It's a 3G phone. It'll work with Sprint's new 3G network they're rolling out later this summer." "Ok," I...

Friday, August 20, 2010 | essays | Read More

Strace -- The Sysadmin's Microscope

Sometimes as a sysadmin the logfiles just don't cut it, and to solve a problem you need to know what's really going on. That's when I turn to strace -- the system-call tracer. A system call, or syscall, is where a program crosses the boundary between user code and the kernel. Fortunately for us using strace, that boundary is where almost everything interesting happens in a typical program. The two basic jobs of a modern operating system are abstraction and multiplexing....

Friday, August 6, 2010 | system-administration | Read More

Choose Your Own Sysadmin Adventure

Today is System Administrator Appreciation Day, and being system administrators ourselves,  we here at Ksplice decided to have a little fun with this holiday. We've taken a break, drank way too much coffee, and created a very special Choose Your Own Adventure for all the system administrators out there. Click here to begin the adventure. Feedback and comments welcome. Above all: Happy System Administrator Appreciation Day. Share the love with your friends, colleagues, and...

Friday, July 30, 2010 | fun | Read More

Learning by doing: Writing your own traceroute in 8 easy steps

Anyone who administers even a moderately sized network knows that when problems arise, diagnosing and fixing them can be extremely difficult. They're usually non-deterministic and difficult to reproduce, and very similar symptoms (e.g. a slow or unreliable connection) can be caused by any number of problems — congestion, a broken router, a bad physical link, etc. One very useful weapon in a system administrator's arsenal for dealing with network issues is traceroute (or tracert...

Thursday, July 29, 2010 | networking | Read More

Six things I wish Mom told me (about ssh)

If you've ever seriously used a Linux system, you're probably already familiar with at least the basics of ssh. But you're hungry for more. In this post, we'll show you six ssh tips that'll help take you to the next level. (We've also found that they make for excellent cocktail party conversation talking points.) (1) Take command! Everyone knows that you can use ssh to get a remote shell, but did you know that you can also use it to run commands on their own? Well, you...

Monday, July 26, 2010 | system-administration | Read More

Source diving for sysadmins

As a system administrator, I work with dozens of large systems every day--Apache, MySQL, Postfix, Dovecot, and the list goes on from there. While I have a good idea of how to configure all of these pieces of software, I'm not intimately familiar with all of their code bases. And every so often, I'll run into a problem which I can't configure around. When I'm lucky, I can reproduce the bug in a testing environment. I can then drop in arbitrary print statements, recompile with...

Tuesday, July 13, 2010 | system-administration | Read More

Building Filesystems the Way You Build Web Apps

FUSE is awesome. While most major Linux filesystems (ext3, XFS, ReiserFS, btrfs) are built-in to the Linux kernel, FUSE is a library that lets you instead write filesystems as userspace applications. When something attempts to access the filesystem, those accesses get passed on to the FUSE application, which can then return the filesystem data. It lets you quickly prototype and test filesystems that can run on multiple platforms without writing kernel code. You can...

Thursday, July 8, 2010 | programming | Read More

Let's Play Vulnerability Bingo!

Dear Fellow System Administrators,I like excitement in my life. I go on roller coasters, I ride my bike without a helmet, I make risky financial decisions. I treat my servers no differently. When my Linux vendor releases security updates, I think: I could apply these patches, but why would I? If I did, I'd have to coordinate with my users to schedule a maintenance window for 2am on a Sunday and babysit those systems while they reboot, which is seriously annoying, hurts...

Thursday, July 1, 2010 | security | Read More

Attack of the Cosmic Rays!

It's a well-documented fact that RAM in modern computers is susceptible to occasional random bit flips due to various sources of noise, most commonly high-energy cosmic rays. By some estimates, you can even expect error rates as high as one error per 4GB of RAM per day! Many servers these days have ECC RAM, which uses extra bits to store error-correcting codes that let them correct most bit errors, but ECC RAM is still fairly rare in desktops, and unheard-of in laptops. For...

Thursday, June 24, 2010 | system-administration | Read More

ntris: an idea taken a step too far

About nine months ago, I lost a lot of free time to a little applet called Pentris. The addition of pentomino pieces made the gameplay quite different from the original falling block game, but I couldn't help but think that Pentris didn't go far enough. As a programmer, I had to implement the natural generalization of the game. After a much longer development cycle than I had originally anticipated, ntris is now ready. (You'll need Java to run the applet.) In ntris, as your...

Thursday, June 17, 2010 | fun | Read More

Query Planners and Baseball

I'm not a big sports aficionado. However, I'm compelled by virtue of living in Boston to care about baseball, and I just finished reading Moneyball, which is all about baseball statistics. One thing about baseball I definitely appreciate is that there are lots of published statistics, because lots of statistics means nice big public data sets available for my relational database querying pleasure. Let's use baseball statistics as an excuse to learn more about query planners...

Thursday, June 10, 2010 | databases | Read More

The top 10 tricks of Perl one-liners

I'm a recovering perl hacker. Perl used to be far and away my language of choice, but these days I'm more likely to write new code in Python, largely because far more of my friends and coworkers are comfortable with it. I'll never give up perl for quick one-liners on the command-line or in one-off scripts for munging text, though. Anything that lasts long enough to make it into git somewhere usually gets rewritten in Python, but nothing beats perl for interactive messing...

Thursday, May 27, 2010 | system-administration | Read More

The wireless traffic of MIT students

Wireless traffic is both interesting and delightfully accessible thanks to the broadcast nature of 802.11. I have spent many a lazy weekend afternoon watching my laptop, the Tivo, and the router chatting away in a Wireshark window. As fun as the wireless traffic in one's house may be, there's something to be said for being able to observe a much larger ecosystem - one with more people with a more diverse set of operating systems, browsers, and intentions as they work on...

Thursday, May 20, 2010 | networking | Read More

Constant factors: constantly foiling you

There are many different kinds of bugs with many different causes. Sometimes, it's just some silly typo or type mismatch; other times, it's an algorithmic issue or a correctness error; and occasionally, it appears to be something much stranger. This is a story about that last kind of bug, where finding the location of the problem is relatively straightforward, but figuring out how to fix it, or even why it's happening, isn't so easy. We first meet our hero, yours truly, as he...

Thursday, May 13, 2010 | databases | Read More

PXE dust: scalable day-to-day diskless booting

If you're a veteran system administrator, you might remember an era of extremely expensive hard disk storage, when any serious network would have a beefy central file server (probably accessed using the Network File System, NFS) that formed the lifeblood of its operations. It was a well-loved feature as early as Linux kernel 2.0 that you could actually boot your machine with a root filesystem in NFS and have no local disk at all. Hardware costs went down, similar machines...

Thursday, May 6, 2010 | system-administration | Read More

1st International Longest Tweet Contest: The Winners

How much information is in a tweet? A month ago, we asked that question, in the First International Longest Tweet Contest. The most longwinded tweeters on earth answered the call. The result: about 4,370 bits. Congrats to the entrants, and best of luck honing your entries for next year! Ksplice is pleased to award our acclaimed, limited-edition T-shirts to the top three contenders. In no particular order, they are: Todd Lehman Mr. Lehman's entry, originally posted as a blog...

Tuesday, April 20, 2010 | programming | Read More

Much ado about NULL: Exploiting a kernel NULL dereference

Last time, we took a brief look at virtual memory and what a NULL pointer really means, as well as how we can use the mmap(2) function to map the NULL page so that we can safely use a NULL pointer. We think that it's important for developers and system administrators to be more knowledgeable about the attacks that black hats regularly use to take control of systems, and so, today, we're going to start from where we left off and go all the way to a working exploit for a NULL po...

Tuesday, April 13, 2010 | programming | Read More

Reminder: Last day for Longest Tweet Contest entries

Reminder: The entry period for the 1st International Longest Tweet Contest closes today. Good luck! ~keithw

Sunday, April 11, 2010 | programming | Read More

Hello from a libc-free world! (Part 2)

In the previous post we conquered compilation by constructing a small program that can be compiled without using libc. Understanding object code and the details of an ELF executable are the next step in our adventure. We left off with the following program pieces: jesstess@kid-charlemagne:~$ cat stubstart.S .globl _start_start: call main movl $1, %eax xorl %ebx, %ebx int $0x80 jesstess@kid-charlemagne:~$ cat hello.c int main() { char *str = "Hello World"; return 0; } jesstess@kid-c...

Tuesday, April 6, 2010 | computer-architecture | Read More

Much ado about NULL: An introduction to virtual memory

Here at Ksplice, we're always keeping a very close eye on vulnerabilities that are being announced in Linux. And in the last half of last year, it was very clear that NULL pointer dereference vulnerabilities were the current big thing. Brad Spengler made it abundantly clear to anyone who was paying the least bit attention that these vulnerabilities, far more than being mere denial of service attacks, were trivially exploitable privilege escalation vulnerabilities. Some...

Tuesday, March 30, 2010 | programming | Read More

The 1st International Longest Tweet Contest

How much information is in a tweet? There are a lot of snarky answers to that. Let's talk mathematically, where information is measured in bits: How many bits can be expressed in a tweet? It's kind of fun to try to figure out how to cram in the most information. Our current in-house record is 4.2 kilobits (525 bytes) per tweet, but this can definitely be bested. Twitter's 140-character limit has been under assault for some time, but nobody has decisively anointed a winner. To...

Thursday, March 25, 2010 | programming | Read More

Hello from a libc-free world! (Part 1)

As an exercise, I want to write a Hello World program in C simple enough that I can disassemble it and be able to explain all of the assembly to myself. This should be easy, right? This adventure assumes compilation and execution on a Linux machine. Some familiarity with reading assembly is helpful. Here's our basic Hello World program: jesstess@kid-charlemagne:~/c$ cat hello.c #include <stdio.h> int main() {printf("Hello World\n");return 0; } Let's compile it and get a bytecount: jesst...

Tuesday, March 16, 2010 | computer-architecture | Read More

How to quadruple your productivity with an army of student interns

Startup companies are always hunting for ways to accomplish as much as possible with what they have available. Last December we realized that we had a growing queue of important engineering projects outside of our core technology that our team didn't have the time to finish anytime soon. To make matters worse, we wanted the projects completed right away, in time for our planned product launch in early February.So what did we do? The logical solution, of course. We quadrupled...

Wednesday, March 10, 2010 | Ksplice | Read More

/etc/init.d/blog start

Welcome to the Ksplice blog! I struggled for quite some time coming up with a grand opening for this blog. Something profound like "We the people, in order to form more perfect computing..." or "The history of the world is the history of rebooting". But that proved too hard, so instead, I want to take a moment to briefly tell the Ksplice story, in the hopes of providing a bit more insight into who we are and what we're all about.Ksplice was born on a beautiful summer day back...

Friday, March 5, 2010 | Ksplice | Read More
 

Visit the Oracle Blog

 

Contact Us

Oracle

Integrated Cloud Applications & Platform Services