Monthly TuxCare Update – August 2021
Here at TuxCare, we pride ourselves on being the trusted provider of maintenance services for the Enterprise Linux industry. Our services improve system administration manageability while maximising system uptime and minimising service disruption.
In this latest monthly overview, you will find a round-up of the latest CVEs patched by the TuxCare Team. Also, carry on reading for details of the latest updates to our range of TuxCare services, along with plenty of helpful advice.
CVEs Disclosed in August
The first vulnerability was found very close to home when our very own Nikita Popov, one of TuxCare’s expert team members, identified a previously unknown flaw in the glibc code. This flaw was uncovered during the investigation of another reported vulnerability. Designated CVE-2021-38604, it was found that a segmentation fault could be triggered in a specific code path within the library. The consequence of this event was that the application using the glibc library could crash, resulting in Denial-of-Service. The glibc library is a critical component, provisioning the main system primitives. Identifying and resolving this issue was seen as a significant win for the team. Our Extended Lifecycle Support Services have produced and distributed live patches for this CVE.
Two other vulnerabilities (CVE-2021-3711 and CVE-2021-3712) were also disclosed in August, both affecting OpenSSL. CVE-2021-3711 is a high severity flaw in the SM2 decryption function that could corrupt memory and allow an attacker to cause a buffer overrun to create a scenario where they could force a privilege escalation. CVE-2021-3712 is a low severity flaw that could also allow an attacker to cause a buffer overrun. Our KernelCare Enterprise Live Patching Service produced and distributed live patches for these CVEs within 24 hours.
Enterprise Linux Security Video Podcasts
The TuxCare team’s Enterprise Linux Security podcast is up and running, offering in-depth topical explanations for the latest hot topics and foundational concepts. Co-hosted by Learn Linux TV’s Jay LaCroix and TuxCare’s very own Joao Correia, the first two episodes are now available to view.
You can watch the first episode that discusses the critical topic of Common Vulnerabilities and Exposures here: Enterprise Linux Security – Episode 01: Common Vulnerabilities & Exposures (CVEs).
Also available is the second episode that discusses common attack vectors here: Enterprise Linux Security – Episode 02: Attack Vectors
These video podcasts discussing Linux security issues are essential viewing for anyone involved in managing Linux-based enterprise systems.
Introducing our CVE Dashboard
Do you ever wonder if a particular CVE affects your systems and if it has been patched or not? We often receive requests from customers looking for information or inquiring about the status of a particular fix. While we send out announcements for the CVEs that affect our supported systems, you’d soon be overwhelmed if we also sent out a notification for the multitude that don’t affect you. So, to improve transparency and make relevant information easier to find, we’ve created a CVE Dashboard. This lists all CVEs covered under our Extended Lifecycle Support service that can be filtered by OS and other criteria. This feature puts you in control and provides all the information you need at your fingertips. See our blog for more details.
Extended Lifecycle Support
Finally, do you use end-of-life systems, or are you a CentOS 8 operator that’s about to face this issue? Have you ever been tempted to recycle the same old legacy systems as the quick and simple solution to maintaining a service?
If the answer to any of these is yes, you’ll understand the challenges of using legacy systems. Legacy systems are a headache for Sysadmins everywhere, from increased security risks to roadblocks to passing compliance audits. However, when the pressure is on, they may be the best short-term solution for a business. This is where TuxCare’s Extended Lifecycle Support can come to the rescue. It keeps legacy secure and compliant for years, buying you time to research, plan, and implement a long-term migration solution. So why don’t you take a look at this video that helps explain how our service works.