How to Apply Linux Kernel Security Patches: 3 Different Ways (2024)
- Just like a strong foundation is vital for a building, a secure kernel is essential for a secure Linux system.
- Live patching allows applying security patches to a running kernel without need for a reboot, significantly reducing downtime for critical systems.
- Unpatched kernels can leave your systems exposed to known vulnerabilities, increasing the risk of security incidents like data breaches or unauthorized access.
Linux kernel updates are a fact of life. They are as dull as taxes and about as fun as going to the dentist. But sysadmins must keep patching: newly discovered security vulnerabilities in the Linux kernel seem to appear with monotonous regularity. In most, but not all, cases, the patches needed to fix them follow swiftly after.
There is a lot of work involved in installing the latest Linux kernel security patches, and practical realities can mean that patches are delayed. But, leave it too long, and you give an opportunity to threat actors to take advantage of an unpatched vulnerability.
That’s why finding the best way to patch as fast as you can is so critical.
Linux’s popularity as a platform for web hosting services, standalone web servers, and web applications makes it a prime target. Hackers use techniques including remote code execution (RCE), cross-site scripting (XSS), and denial of service (DoS) attacks.
Keeping Linux instances up to date with the latest operating system and application software patches is one of the most effective ways to strengthen system security and protect against these kinds of cyber threats.
However, it’s a disruptive and time-consuming task because, for Linux, most kernel upgrades and security patches often require a system reboot. This article explains how to update the Linux kernel without rebooting. Also, we cover three different methods for applying Linux kernel security patches. These methods are:
- using the command line
- with kexec
- with rebootless live kernel patching tools: Oracle Ksplice Uptrack, Canonical Livepatch, Red Hat’s Kpatch, SUSE Kgraft (SLE Live Patching), and KernelCare Enterprise.
1. Traditional Command Line Updates
This is the standard way to apply a Linux kernel security patch using the distribution vendor’s repository. It is the method you’ll most likely find in vendor documentation. However, many distributions now offer user-friendly graphical package managers that simplify the update process.
On Ubuntu, you can use these commands in the terminal.
sudo apt update sudo apt upgrade linux-image-generic sudo reboot
On Debian you use:
sudo apt upgrade linux-image sudo reboot
For any RPM-based distribution, including CentOS and Red Hat Enterprise Linux (RHEL), use this:
sudo yum update kernel
sudo reboot
So far, so easy. But there’s a catch: the kernel patch won’t take effect until you reboot.
Reboot? Yes. You must kick off your users, save your files, and close down processes – at the risk of making a lot of people very unhappy. Like anyone in the middle of a purchase on your website, for example. You then need to wait for your Linux server to boot up again and recover its previous state.
How long do your servers take to bounce back? Will customers and other stakeholders notice? Even if there’s a low risk that they would notice, you still need to notify them before installing that kernel patch.
This is one reason why many system administrators defer patch installation, avoiding downtime but compromising system security.
PROS: No installation. Straightforward process.
CONS: Not automated. Reboot required.
2. kexec: Quicker reboots
When a Linux kernel security patch is applied, a reboot is usually necessary to load the new patched kernel. You can make this rebooting process faster by using kexec, a Linux kernel feature that lets you boot straight into a new kernel, skipping the boot loader and hardware initialization phases.
To use it, you first need to install kexec-tools.
On Ubuntu/Debian:
sudo apt install kexec-tools
You’ll see a configuration window that looks a bit like this:
On CentOS/RHEL:
sudo yum install kexec-tools
Next, install the new kernel. List the kernels and then choose the kernel you want to use:
sudo yum update kernel
or
sudo rpm -qa kernel
The output should be something like this:
kernel-3.10.0-514.26.1.el7.x86_64 kernel-3.10.0-862.3.2.el7.x86_64
Now boot into your chosen kernel version:
sudo kexec -l /boot/vmlinuz-3.10.0-862.3.2.el7.x86_64 -initrd=/boot/initramfs-3.10.0-862.3.2.el7.x86_64.img -reuse-cmdline sudo sync; sudo umount -a; sudo kexec -e
You can use the next command if you have no patience whatsoever (but see the warning below before you do so):
sudo kexec -e
Note: While kexec is not directly involved in the patching process itself, it offers faster reboots by bypassing the usual boot loader and hardware initialization. However, this speed comes at a cost. Unlike a standard reboot that gracefully shuts down processes, synchronizes caches, and unmounts file systems, kexec jumps directly to the new kernel. This can lead to data loss or corruption if running applications have unsaved changes or open file handles.
PROS: Faster boot. One-time install.
CONS: More finger work (and higher potential for error unless you script it well).
3. Update Your Kernel Without Rebooting
Yes, you read that correctly. There is a way to update the Linux kernel without rebooting.
There are times when security patching is supercritical and you just must get it done. At the same time, the processes that need to stop when you reboot are equally critical. If you’re running an ‘always-on’ or ‘high-availability’ system, you’ll be familiar with this dilemma.
A rebootless kernel update means that you can ‘have your cake and eat it (too)’. Rebootless updates, also known as live kernel patching, are not a replacement for full kernel upgrades because they only apply patches for security vulnerabilities or critical bug fixes.
However, rebootless updates are like a magic bullet for fixing vulnerabilities and ensuring Linux kernel security. When you consider the really urgent stuff, then updates for security vulnerabilities and bug fixes are really all you need. By using live patching methods, it is possible to keep a server safe from threats for years without ever rebooting the server.
Many leading Linux vendors offer a tool to achieve rebootless kernel updates. The tool you choose depends in part on the distribution you run and whether you already have a support contract in place with the vendor. In the rest of this article, we’ll talk about the following products.
- Ksplice by Oracle (for Oracle Linux updates, Ksplice Uptrack for enterprise users)
- kpatch by Red Hat (for RHEL kernel updates and CentOS updates)
- Livepatch by Canonical (for Ubuntu kernel updates)
- kGraft by SUSE (for SUSE updates only)
- KernelCare Enterprise (for all major Linux distributions)
Oracle Ksplice
Ksplice was the first commercially available implementation of rebootless kernel updates. Ksplice, Inc. was eventually acquired by Oracle and it is now only available (unsurprisingly) for the Oracle Linux distribution. Deploying Ksplice requires an Oracle Linux Premier Support subscription, which can be a significant cost factor.
To deploy it, run:
sudo wget -N https://ksplice.oracle.com/uptrack/install-uptrack-oc sudo sh install-uptrack-oc -autoinstall
You’ll note that there is no reboot command and that you only need to run the install script once in the lifetime of the server. After that, the Uptrack service will automatically detect new kernel updates and deploy them. There’s nothing more to do – no scheduling and no downtime.
PROS: No reboot required. Automatic updates.
CONS: Only for Oracle distribution versions. Requires a support license.
Canonical Livepatch Service
Canonical Livepatch, offered by the company behind Ubuntu, is a tool for applying Linux kernel security patches without requiring a reboot. It also allows you to create your own patches, but that is difficult, time-consuming work. (Some vendors will create an Ubuntu upgrade kernel for you, for a fee.)
The Livepatch service is available for Ubuntu 16.04 and later, and RHEL 7.x (beta). Livepatch is deployed like this:
sudo snap install canonical-livepatch
sudo canonical-livepatch enable [TOKEN]
Note: The Canonical Livepatch service is free for personal use on up to 5 machines if you’re an Ubuntu One member. Commercial use requires an Ubuntu Pro subscription.
PROS: No reboot required. Automatic kernel updates.
CONS: Non-trivial custom kernel patches. Restriction on the number of updatable hosts. Additional hosts and commercial use include a fee.
Red Hat kpatch
kpatch is Red Hat’s own kernel patching tool. It was announced in 2014 and has been ported to work on other distributions in the same family (Fedora, CentOS) as well as some Debian-based systems (Ubuntu, Gentoo).
Here’s an example of deploying it on RHEL 7:
sudo yum install kpatch sudo yum install kpatch-patch-X.X.X.el7.x86_64.rpm
Unlike Ubuntu’s Livepatch service or Oracle’s Ksplice, it is not an automatic live patching service. You must manually check for new patches and install each kernel patch as it becomes available.
PRO: No reboot required.
CONS: Not automated. Works with a limited range of distributions.
SUSE kGraft
Developed and announced at almost the same time as Red Hat’s solution, kGraft is SUSE’s live patching offering (known as SUSE Linux Enterprise Live Patching). It works only with SUSE’s own Linux Enterprise Server 12, and comes preinstalled, so there’s really nothing to do except to pay for it. It works on a different principle than most other approaches, but has a feature set comparable to kpatch.
PROS: No installation needed. No reboot required.
CONS: Single platform support. Commercial (but there is a 60-day free trial).
KernelCare Enterprise
TuxCare’s Linux kernel live patching service, KernelCare Enterprise, stands out from the kernel patching solutions we covered so far for two reasons. First, KernelCare covers a wide range of Linux distributions, including CentOS, RHEL (as early as RHEL 6), Oracle Linux, Debian, Ubuntu, and many more. Next, KernelCare is more affordable compared to subscribing to a vendor-specific support contract like those listed above.
Here’s how to install KernelCare:
wget -qq -O -- https://kernelcare.com/installer | bash sudo /usr/bin/kcarectl --register <your key>
KernelCare is an ‘install and forget’ solution. Once installed, KernelCare automatically downloads and applies new Linux kernel security patches without rebooting the server.
But, in contrast to its closest competitors, KernelCare can handle many of the more complex patches that are required for vulnerabilities, including the famous Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715) vulnerabilities.
KernelCare also covers you for more recent complex vulnerabilities, including the Dirty Pipes vulnerability (CVE-2022-0847). To track the release status of live patches for Linux kernel vulnerabilities (CVEs), you can utilize the TuxCare CVE tracker.
You benefit from a rich feature set too, as KernelCare supports custom patch configurations, fixed-date patches, delayed patches, and rebootless rollbacks that allow you to remove a patch without rebooting.
Like the other vendors considered here, KernelCare also springs from a strong Linux pedigree: KernelCare was created by CloudLinux, the leading vendor for a Linux OS dedicated to web hosting.
PROS:
- Easy install. No reboot required.
- Wide OS coverage (including one of the most popular Linux flavors, Ubuntu).
- Supports custom and fixed-date patching.
- Expert support and industry know-how from TuxCare.
CONS:
- Commercial (but there is a free trial). There is also a free KernelCare license for non-profit organizations.
Get a FREE Trial of KernelCare Enterprise
Final Thoughts
Maintaining Linux kernel security is an ongoing battle. Regularly checking for updates and applying them promptly is crucial to stay ahead of evolving cyber threats. Updating the kernel is relatively painless using the standard command line tools, but only if your server is non-critical and only if your users can endure it going offline for a period.
If you’re running an always-on system, or if you can’t or don’t want to reboot, you need to consider live kernel patching solutions. Of these, there are three kinds:
- Administered: you trigger rebootless patching yourself. E.g. kpatch, kGraft
- Fully automatic: rebootless patching happens automatically. E.g. Livepatch, Ksplice
- Fully automatic, advanced multi-platform: it does it for you, also handles advanced threats, and works on all popular Linux distributions. E.g. KernelCare Enterprise
In many cases, particularly where you’re reliant on different Linux distributions and where you don’t have a vendor support contract, KernelCare Enterprise would be worth a look.
If you want to learn more about live patching technology and how it enables your infrastructure security, you can read some of our most popular blog posts:
- What is Linux Kernel Live Patching?
- Demystifying Linux Kernel Security: The Need for Linux Kernel Patching
- The Many Faces of Patching
- Why Live Patching Is a Game-Changing Cybersecurity Tool
- Debunking Myths About Linux Kernel Patching