Monthly TuxCare Update – January 2022
Welcome to the January instalment of our monthly news round-up, bought to you by TuxCare. Proud to be a trusted maintenance service provider for the Enterprise Linux industry. Our live patching solutions maximize system security and uptime while minimizing maintenance workload and system disruption.
We hope that the new year has started smoothly and incident-free for you. Likewise, let’s hope the next month is free of troubles and stresses for you. In this latest monthly overview, we’ll begin as usual with a round-up of the latest CVEs that the TuxCare Team has patched for you. We’ll also bring you the latest news, advice, and valuable tips.
CVEs Disclosed in January
The new year has seen the discovery of a significant issue in the legacy polkit package that’s been around for twelve years and is present in most distributions.
CVE-2021-4034 is a vulnerability in the polkit code that enables an unprivileged user to gain root privileges quickly in any system they can access. The code flaw is in the pkexec component of the polkit package. You can see more details, plus there’s a quick fix to protect your systems until you’ve installed patches in our blog post: PwnKit, or how 12-year-old code can give root to unprivileged users
At the time of writing, we have already produced patches for CentOS 6, Oracle 6, CL6, Ubuntu 16, and CentOS 8.4. There are more on the way, and you can track the latest status using our CVE dashboard here: CVE dashboard for CVE-2021-4034
Another CVE disclosed in January is Luks, head here for more details about it.
All the CVEs disclosed that affect distributions covered by our Extended Lifecycle Support Services have had patches in development or already produced and distributed. See our helpful CVE Dashboard for more details. It lists all CVEs covered under our support services with filtering options to make the information relevant to your systems simple to access.
Enterprise Linux Security Video Podcasts
The TuxCare team’s Enterprise Linux Security podcast continues to offer in-depth topical explanations for the latest hot topics and foundational concepts. Co-hosted by Learn Linux TV’s Jay LaCroix and TuxCare ‘’’s very own Joao Correia, two new episodes are available to view this month.
In the fifteenth episode, Joao and Jay discuss high availability systems to help eliminate system downtime, plus look at the latest developments around the Log4Shell vulnerability. You can view the video here: Enterprise Linux Security Episode 15 – High Availability
In the sixteenth episode, Joao and Jay discuss the issue of library poisoning and its use in supply chain attacks, in particular the recent sabotage of two popular NPM libraries. You can view the video here: Enterprise Linux Security Episode 16 – Library Poisoning
These video podcasts discussing Linux security issues are essential viewing for anyone involved in managing Linux-based enterprise systems.
CentOS 8 – Life after the End of Life
If you’re a user of CentOS 8, you’ll be accutely aware that official support for this distribution has now ended. As a result, you’ll no longer receive bug fixes or patches for CVEs and other emerging security vulnerabilities. This sudden withdrawal of support years before the expected End of Life date has left users with a dilemma, finding a replacement and changing systems as qucikly as possible or continuing using CentOS 8 while carefully formulating a migration plan. You can read more about your options in our blog post: Winter is Coming for CentOS 8.
We’ve also taken a look at the practicalities of Red Hat’s suggestion that users migrate to CentOS Stream. You can read more about our thoughts in our blog post: When migrating to CentOS Stream makes sense (and when it does not)
For those of you who continue to use CentOS 8, you’ll hopefully be aware that this distribution is affected by the PwnKit vulnerability. If you’ve chosen to use the TuxCare support package for your CentOS 8 systems, you’ll know that we’re on the case with fixing this vulnerability using our live patching service. If you’re affected and not signed up for our support, why not? We can help protect your systems now that official support has ended and extend the life of your CentOS 8 systems for another four years. Our Extended Lifecycle Support enables you to keep on top of your security risks, close the security gaps and stay safe. You can read more about CentOS 8 Extended Lifecycle Support in our blog post: CentOS 8: Why extended support is better than rushed migration