OnApp 6.0 CloudBoot Security Update

This update addresses the ZombieLoad vulnerabilities (RIDL ([MFBDS] CVE-2018-12130, [MLPDS] CVE-2018-12127, [MDSUM] CVE-2019-11091, and Fallout ([MSBDS] CVE-2018-12126) for CentOS6/7 CloudBoot compute resources. For more information on vulnerabilities, refer to ZombieLoad Attack Issues doc.

To mitigate the vulnerabilities on KVM CloudBoot compute resources we recommend updating the following packages: 

  • CentOS 6  
    • kernel 2.6.32-754.12.2.el6.x86_64
    • libvirt 0.10.2-64.el6_10.1
    • qemu-kvm  0.12.1.2-2.506.el6_10.3
  • CentOS 7 
    • kernel 3.10.0-957.12.2.el7.x86_64
    • libvirt 4.5.0-10.el7_6.7
    • qemu-kvm 2.12.0-18.el7_6.5.1

Use CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures to install the update. 'Simple reboot' and 'Migrate and Reboot' options are available.

KeyTypeRelease NotesAffects Version/s
CLOUDBOOT-421

Improvement

Updated the following components for CentOS 7 Xen compute resources: 

  • A kernel version to 4.9.165-35.el7.x86_64
  • A libguestfs version to 1.36.10-6.2.el7.onapp

CLOUDBOOT-425

Improvement

Updated the following components for CentOS 6 Xen compute resources: 

  • A kernel version to 4.9.165-35.el6.x86_64
  • A UFS filesystem driver based on the kernel version 4.9.165-35.el6.x86_64 and compiled with the R/W support patch

CLOUDBOOT-429ImprovementUpdated an onapp-messaging version to 6.0.0-3 for all CloudBoot compute resources. 
CLOUDBOOT-428FixThe STORAGENODE guests on Xen were not reported via SNMP because storage controllers were managed with XM/XL while other guests were managed with Libvirt. 6.0
CLOUDBOOT-435Fix

Fixed the issue with data storage utilization when incorrect zombie_disks_size value was displayed in the database. 

5.5.0-92-6.0.0-159
CLOUDBOOT-436Fix

Updated qemu-kvm-ev version to 2.12.0-18.el7_6.5.1 for CentOS 7 KVM ramdisk to address the CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and the CVE-2019-11091 issue.

5.5.0-92-6.0.0-159
CLOUDBOOT-440Fix

Updated the following components for CentOS 7 KVM compute resources to address the CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and the CVE-2019-11091 issue: 

  • A kernel version to 3.10.0-957.12.1.el7.x86_64
  • A libvirt version to 4.5.0-10.el7_6.7
  • A UFS filesystem sources based on the kernel version 3.10.0-957.12.1.el7.x86_64 and compiled with the R/W support patch
  • An XFS filesystem driver sources version to 3.10.0-327.36.3.el7.x86_64 based on the kernel version 3.10.0-957.12.1.el7.x86_64 and compiled with the following patches:
    • xfs-make-xfs_bmbt_to_iomap-available-outside-of-xfs_.patch
    • iomap-Switch-from-blkno-to-disk-offset.patch
    • dax-give-DAX-clearing-code-correct-bdev.patch 
5.5.0-92-6.0.0-159
CLOUDBOOT-441Fix

Updated the following components for CentOS 6 KVM ramdisk to address the CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and the CVE-2019-11091 issue:

  • A kernel version to 2.6.32-754.14.2.el6.x86_64
  • A libvirt version to 0.10.2-64.el6_10.1 patched with fixed-xt_physdev-warning-when-defining-ip-6-tables patch
  • A qemu-kvm version to 0.12.1.2-2.506.el6_10.3 compiled with --enable-io-throttling
5.0-6.0.0-122
CLOUDBOOT-444Fix

Updated kernel version to 3.10.0-957.12.2.el7.x86_64 for CentOS 7 default ramdisk to address the CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and the CVE-2019-11091 issue.

5.5.0-92-6.0.0-159