TuxCare Team, Author at TuxCare

Business Value of ELS Patching for Python

Python has grown tremendously, and its impact has been remarkable. It has become one of the most popular programming languages among developers and researchers.

Python is an object-oriented, high-level, interpreter-based programming language. It was created by Guido van Rossom in 1991 and has been used for various projects since then.

The importance of Python for DevOps

A recent survey of 4,600 IT professionals found that those who adopted a DevOps culture could deploy code 200% more often than those who did not embrace such a culture. They also spend half as much time applying fixes through patches for bugs, recover twice as fast after failures, and have threefold fewer changes fail. Most importantly, they achieve these results without sacrificing quality.

What’s Python’s place in DevOps development tools? Python’s versatility and ease of use make it an ideal tool for DevOps workflows. Developers can write scripts and deploy them to production servers without worrying about infrastructure. Python is widely adopted across the industry, so it’s easy to find people who know how to use it.

Python is one of several programming languages commonly used by teams practicing DevOps. It has many advantages compared to other languages, making it an excellent choice for this role.

Buying Time to Migrate to the Following Code Release of Python

Several challenges become critical to organizations once they adopt python as their central application for source code development and automation. Once a new release of Python is announced, the organization may take up to 3 years to migrate their current source code to the latest version. In the case of Python 3 not having legacy support for Python 2.7, this created a critical risk for software companies. The inability to back support a previous version places the software company in a challenging place.

The company will need time to develop new code, test, QA, and stage more rapidly. This new code set will likely have more bugs and performance issues with a limited operating window. This rapid code development also places their existing clients at risk. The clients will need to either attempt an upgrade in place or possibly forklift the entire platform. Both options add to the risk for Python clients. Many clients may opt not to upgrade to the software’s new code while considering other options. Unable to receive security updates and choose to live with the inherent risk of vulnerabilities and exploits, these clients will jeopardize their most critical assets. Python developers and clients need enhanced operational security with the latest version available and extended support after the end-of-life date.

Value of Tuxcare Extended Lifecycle Support(ELS)

You’ve built your applications on Python, you know that code front to back, and you’ve spent years chasing instability and squashing bugs. The hard work and long days put in by your team have resulted in something that runs well and builds value for your organization.

What are some of the core business justifications for investing in an ELS?

  • Your currently targeted Python version is going to end-of-life, and you need time to develop the next-generation application.
  • No need to refactor your Python 2.7 applications to Python 3.0
  • We backport security fixes for Python 2.7 versions, so you wouldn’t have to rewrite your app. 
  • Security compliance must be maintained, but an upgrade may break your code. Specific compliance regulation, including PCI-DSS, HIPAA, FEDRAMP, and NIST-800-53, requires all systems to be patched within 30 days after identifying known vulnerabilities.
  • Extend the life of your hardware and software assets while conserving DevOps resources. Using ELS with automation delivery, patches, and updates, including rollback capability, can streamline the update process with the DevOps teams.

Protecting your Python 2.7 from vulnerabilities 

Vulnerabilities will exist in any code, including the Python language. Many vulnerabilities never become exploits. Python, like other applications, is subject to zero-day attacks. These attacks are often executed by hackers betting on specific vulnerabilities within a system that has not been patched regularly. The hacker’s rule is most Python and other systems’ time to patch a vulnerability or patch (MTTP) is between 60 and 150 days.

SecOps usually send out a patch within 38 days. The open window will most likely be when a system becomes exploited. However, no one will know which one or when the attack will occur.

  • ELS will reduce the threat vector of zero-day attacks against Python applications as an automated business process.

An unpatched vulnerability at the language level will inherently place at risk all the applications written in that language, so even if the application’s code itself does not have any issue, some language construct that is used may have, and this is both difficult to diagnose and complex to protect from adequately.

Why Tuxcare?

Trusted partner

We’ve supported various RHEL forks for over 12 years, including AlmaLinux – a forever-free enterprise-grade OS. Support the significant Linux OS versions from CentOS 6, CentOS 7, and CentOS 8, including Ubuntu 16.04 LTS and RHEL-based distributions.

  • Also available is ELS for PHP.
  • Through KernelCare Enterprise, we provide live patching for the Linux Kernel, critical shared system libraries like OpenSSL and Glibc, open source databases like MySQL, Postgres, and MariaDB, and the virtualization platform QEMU/KVM – all of which cause high business disruption when patched traditionally.

Being compliant is our nature

We have passed and continuously maintain various Cybersecurity certifications. And our services have helped numerous enterprise companies, government agencies, and universities achieve and maintain their compliance status.

The TuxCare Story

  • TuxCare has delivered patches and bug fixes for various Linux distros for over ten years.
  • TuxCare is approaching 1 million in production workloads secured and supported by our services.
  • We have over 1500 customers from multiple industries around the world.
  • TuxCare’s KernelCare Enterprise has patched more than 2,000 vulnerabilities without reboots over the years.
  • We support more than 40 Linux distributions.

Frequently Asked Questions

What version of Python is supported by ELS for Python?

The service will provide security updates for Python 2.7.

Will existing Python code continue to run as-is?

Yes – the goal is to provide security fixes, not language-breaking changes. Your existing Python 2.7 code and applications will continue to run as before – only more securely.

Does this address security issues in my Python application?

Depends. If the security issue stems from a language-specific security problem, your application will be secure from threats targeting that specific security problem.

My application is written in Python and has no security issues – why do I need ELS for Python?

New vulnerabilities emerge every day, and of those, some will target older code. Even if your application does not directly have any security problems, exposure found at the language level may make your application insecure. That is why it is essential to have access to security patches even after a language is no longer officially supported.

Monthly TuxCare Update – March 2022

Welcome to the March instalment of our monthly news round-up, bought to you by TuxCare. We’re honoured to be the Enterprise Linux industry’s trusted maintenance service provider. Our innovative live patching solutions help maximize system uptime while keeping them secure, reducing your maintenance workload, and minimizing system disruption.

In challenging times, it is ever more essential to keep systems secure. Unfortunately, the trend for record numbers of CVEs continues with no signs of disclosure rates slowing. So in this latest monthly overview, we’ll begin as usual with a round-up of the latest CVEs that the TuxCare Team has patched for you. We’ll also bring you the latest news, advice, and valuable tips to keep your systems safe.

Contents

  1. CVEs Disclosed in March
  2. Enterprise Linux Security Video Podcasts
  3. Threat Management Automation
  4. The Role of Chief Experience Officer
  5. Ponemon Report

CVEs Disclosed in March

This month saw the disclosure of the critical vulnerability CVE-2022-0847, known as “Dirty Pipes”, which affects Linux kernels starting from version 5.8 upwards. This code flaw allows an unprivileged user to overwrite read-only files, including SUID files. An attacker’s exploitation of this vulnerability can compromise confidentiality, integrity, and availability of affected systems. KernelCare Enterprise team has addressed this vulnerability, and you can find more information about it in this TuxCare blog post.

Enterprise Linux Security Video Podcasts

The TuxCare team’s Enterprise Linux Security podcast continues to offer comprehensive topical explanations for the latest hot topics and foundational concepts. Co-hosted by Learn Linux TV’s Jay LaCroix and TuxCare’s very own Joao Correia, four exciting new episodes are available this month.

In the twentieth episode, Joao and Jay discuss the concept of cloud governance and its importance for managing migration to the cloud environment to ensure a smooth transition and make sure the benefits outweigh the risks. You can view the video here: Enterprise Linux Security Episode 20 – Cloud Governance – YouTube

In the twenty-first episode, Joao and Jay discuss the recent “Dirty Pipe” vulnerability and Nvidia’s recent breach. You can view the video here: Enterprise Linux Security Episode 21 – Dirty Pipe & Nvidia’s Breach – YouTube

In the twenty-second episode, Joao and Jay discuss the foundational concepts surrounding how TLS certificates work and offer practical and invaluable advice and recommendations for implementing certificate-based encryption. You can view the video here: Enterprise Linux Security Episode 22 – Certificates – YouTube

In the twenty-third episode, Joao and Jay discuss five critical myths around cyber security that need to be challenged in light of the rapid changes required by industry to keep pace this the threat landscape. You can view the video here: Enterprise Linux Security Episode 23 – Busting 5 IT Security Myths – YouTube

These enthralling and enlightening video podcasts are essential viewing for anyone involved in managing Linux-based enterprise systems.

Threat Management Automation

Last month we reported that CVE records were again broken in 2021, with 28,695 new vulnerabilities disclosed. Unfortunately, this year is set to continue the trend of an ever more challenging threat landscape for businesses. It’s reached the stage where threat management has become an overwhelming task for some companies. System Admins typically bear the brunt of the workload to manage patches, monitoring system security and undertaking post-incident remediation work.

The risk of businesses becoming overwhelmed by the effort required is real and will simplify the attackers’ tasks. The solution is to look at automation wherever possible to reduce the load on the IT team. You can read more about this here: Why Enterprise Threat Mitigation Requires Automated, Single-Purpose Tools (thehackernews.com). A live patching tool such as KernelCare Enterprise can offer an automatic, non-disruptive solution to this vulnerability management problem.

Here at TuxCare, we ensure that threat management will not become an overwhelming overhead for your resources thanks to our automation tools, providing reassurance that threat management is under control.

The Role of Chief Experience Officer

Customer experience is a recognized essential component for businesses. Still, it is often not treated with equal importance as technological or security objectives as its harder to define and often comes into conflict with more tangible technology objectives. Addressing this weakness has seen a trend for creating a Chief Experience Officer (CXO) role in businesses to meet the challenges. You can read more about this subject in the following article written by for Forbes Magazine Igor Seletskiy, CEO of TuxCare: Why CXOs Have Become Influential Members Of The C-Suite (forbes.com)

Ponemon report

TuxCare in collaboration with Ponemon presents the 2nd edition of The State of Enterprise Linux Security Management Report. One of the new findings shows that over 56% of organizations take more than four weeks to deploy patches for known important or critical vulnerabilities. That comes unexpected for an industry where vulnerability awareness is a foundational process. Check out the report for more findings here.

Introducing the State of Enterprise Linux Security Report

As regulations around cyber security tighten and the risks increase, have you ever wondered how your company’s IT processes rank compared to others? Are you patching your systems on time, or one the majority of organizations that take upwards of a month to deploy patches for known vulnerabilities?

As cyber security concerns become more prevalent and threat actors get more sophisticated, it has never been more important to be aware of the current State of Enterprise Linux Security Management. After a successful publication last year of our report on vulnerability management, TuxCare has worked with the Ponemon Institute to develop an updated version, providing a more in-depth understanding of the security risks and mitigation strategies currently in place for Enterprises. Just as the risks are global and can potentially affect every organization, sharing knowledge of how companies deal with security can provide the insights needed to develop and implement the correct strategies – or identify areas where your organization may be lacking and doesn’t even realize it.

Some of the findings were truly unexpected. In an industry where vulnerability awareness is a foundational process, and the response to such vulnerabilities is patching, it was impressive to discover that over 56% of organizations take more than four weeks to deploy patches for known important or critical vulnerabilities. This would be a worrying sign at the best of times, but it is even more important to consider in the current cyber security environment. What steps can be taken to improve this situation? Leaving systems unprotected for such a long period of time invites disaster.

Also, it is remarkable that about a third of organizations are not aware that the security of cloud-hosted systems is still their responsibility. This gap can induce a false sense of security and contribute to a large proportion of systems being left in a security limbo, where the only people looking at them are the threat actors.

On a more positive note, the rise of automation is indeed moving from the headlines to the actual day-to-day activities of IT teams. The standardization and repeatability of processes that come with it is a boon that would be hard to achieve with manual operations.

For these and many other interesting aspects related to Enterprise Linux Security, be sure to check the complete report, which you can find HERE.

“Dirty Pipes” in the Kernel

A few years ago, a vulnerability dubbed “Dirty Cow” (CVE-2016-5195) was in the spotlight for a while. It was a trivially exploitable privilege escalation path that basically affected any Linux distribution and was exploited in the wild extensively. That vulnerability abused the Kernel’s Copy-On-Write (COW) mechanism and was sometime later found to be remotely exploitable through web servers that allowed file uploads.

On the 7th of March of 2022, a similar vulnerability was disclosed, also affecting all recent Linux distributions, nicknamed “Dirty Pipe” (CVE-2022-0847). It lets an unprivileged user overwrite any file, or part of a file, in a Linux system, even read-only ones. Several variants have already been disclosed that allow for the replacement of SUID files.

Patches for CVE-2022-0847 will be made available through KernelCare in the coming days, and this post will be updated with availability information as each becomes ready. At this moment, vulnerable kernel versions include 5.8 and onwards, with the flawed commit having been backported to multiple 4.x versions as well.

[Update 9th March: Updates for RHEL 8 and Oracle EL 8 are now available for deployment. Further patches are being prepared for other distributions.

Update 10th March: Updates for CentOS8, Almalinux 8, Rocky Linux, Ubuntu 20.04, CloudLinux 8 and CloudLinux 7h are also completed and are going to show up on feeds.

Update 11th March: Another batch of updates released for Ubuntu 18.04, Proxmox VE5 and Proxmox VE6.]

To understand the underlying flaw behind CVE-2022-0847, it is important that we first offer some brief information regarding CVE-2016-5195. “Dirty Cow” was possible because a race condition was found in the Copy-On-Write subsystem within the kernel. As a result, an unprivileged user could write in otherwise unreachable memory locations through this flaw. This would “dirty” those memory locations, hence the name. Moving from this to an elevation of privilege is a trivial operation for any properly motivated malicious actor, and in fact, that is precisely what happened. While “Dirty Cow” started as a local-only exploit, it was soon discovered that web servers that had the option to accept uploads from users could also be used as an attack vector. Hence, the vulnerability turned out to be remotely exploitable.

Fast forward a few years, and now IT teams are faced with “Dirty Pipe”, or CVE-2022-0847 if you think nicknaming vulnerabilities is not a very professional thing to do. As the name suggests, the flaw this time lies in the pipe handling code. Pipes are used as a way to pass information between processes. The most visible way pipes are used is when chaining commands, passing the output from one to the next through a “pipe”. Note that pipes can be created directly in code rather than simply used in the shell by an end-user or script.

It turns out that code introduced in this commit to the Linux Kernel “refactored” the way pipe flags (a way to control pipe behavior) are handled. You can read the extensive process behind the discovery of this vulnerability here.

Long story short, it became possible to write user-controlled content at an also user-controlled location in any file within the system (note that, since everything in a Linux system is technically a “file”, new variants of this vulnerability may introduce new, as-of-yet unknown behaviors). For example, introducing new content into /etc/shadow, or other, more subtle, ways of manipulating a system.

Since the exploit code is trivial, it is already widely available online (while not a deterrent, we try to refrain from posting direct links to exploit code on our blog). Because pipes are a basic functionality of the Kernel, the potential risk posed by this vulnerability is very high. It is also noteworthy that several variants have already been found, where the same flaw is used to abuse other system components rather than just writing directly to otherwise unwritable files. It is not that far-fetched to imagine that remotely exploitable attack vectors will surface in the coming days, just like they appeared for “Dirty Cow” in 2016.

For a quick check customers might want to verify the kernel version in use. Kernels before 5.8 and starting with 5.16.11, 5.15.25, 5.10.102 are not affected. Other Kernel versions may depend on specific backporting policies by each vendor and are currently being evaluated.

Updates for RHEL 8, Oracle EL 8, CentOS8, Almalinux 8, Rocky Linux, Ubuntu 18.04, Ubuntu 20.04, Proxmox VE5, Proxmox VE6, CloudLinux 8 and CloudLinux 7h are now available for deployment through KernelCare Enterprise. Further patches are being prepared for other distributions. IT teams are strongly encouraged to patch this vulnerability as soon as possible. TuxCare’s patches for KernelCare Enterprise will be made available shortly, and this post will be updated to reflect the actual availability of these patches when each is released.

TuxCare’s KernelCare Enterprise is providing live patches for “Dirty Pipe” even when the original distribution vendor is not able to do so with their own live patching solution.

Through KernelCare Enterprise, receiving patches for this and other vulnerabilities can be done without disrupting running workloads or having to reboot systems. If you would like to know more about KernelCare Enterprise and other TuxCare products, please check here.

Key points to consider during your 7 days of KernelCare Enterprise POV

Proof of value (POV) is a key step in the buying process. It allows tech teams to test a product or service to find out whether it is fit for purpose, and a good match for the team’s needs. That’s why KernelCare offers a free seven-day period where you can test KernelCare for yourself.

It’s nonetheless a limited time period, and you need to make the best of it. In this article we outline some of the points you should think about when you try out KernelCare Enterprise in your organization. Continue reading “Key points to consider during your 7 days of KernelCare Enterprise POV”

Securing confidential research data through TuxCare live patching

The University of Zagreb’s Croatian Academic and Research Network (CARNet) faced a significant threat: like other educational institutions, its networks were under constant attack from cybercriminals. But the one obvious route to secure operations – regular patching – was difficult to perform consistently.

In this case study we examine how Mirsad Todorovac, CARNet system engineer at the University of Zagreb, discovered KernelCare Enterprise and how the product – a TuxCare service – helped the university to battle mounting cyber threats.

Continue reading “Securing confidential research data through TuxCare live patching”

Monthly TuxCare Update – February 2022

Welcome to the February instalment of our monthly news round-up, bought to you by TuxCare. We’re proud to be a trusted maintenance service provider for the Enterprise Linux industry. Thanks to our live patching solutions, we help maximize system security and uptime whilst reducing your maintenance workload and minimizing system disruption.

Continue reading “Monthly TuxCare Update – February 2022”

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching