Resultados 1 a 7 de 7
  1. #1
    Super Moderador
    Data de Ingresso
    Sep 2010
    Localização
    Procurando...
    Posts
    4,106

    Exclamation Falha de Segurança do CloudLinux

    Falha de Segurança do CloudLinux

    CloudLinux - Content Disclosure Vulnerability (R911-0049)
    Quote:
    Type: Content Disclosure (Root Access)
    Location: Local
    Impact: High
    Product: CloudLinux
    Website: CloudLinux OS
    Vulnerable Version: CageFS 5.0-8
    Fixed Version: CageFS 5.0-9
    CVE:
    R911: 0049
    Date: 2013-08-09
    Product Description:

    CloudLinux is a commercially supported Linux operating system interchangeable with CentOS. It includes kernel level technology called LVE that allows you to control CPU and memory on per tenant bases. It is a bases for application level virtualization. CloudLinux delivers advanced resource management, better security and performance optimizations specifically targeted to multi-tenant hosting environment.

    Vulnerability Description:

    There is a flaw within the CageFS portion of CloudLinux that allows an attacker to disclose the contents of any file on the server regardless of file ownership.

    Proof of Concept:

    Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

    Impact:

    We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be viewed.

    Vulnerable Version:

    This vulnerability was tested against CloudLinux CageFS 5.0-8 and is believed to exist in all prior versions.

    Fixed Version:

    This vulnerability was patched in CloudLinux CageFS 5.0-9.

    Vendor Contact Timeline:

    2013-08-08: Vendor contacted via email.
    2013-08-08: Vendor confirms vulnerability.
    2013-08-09: Vendor issues update.
    2013-08-09: Rack911 issues security advisory.

    -----------

    Cloudlinux has released a fix for this. In our testing it sufficiently blocks the vulnerability.

    Beta: CageFS-5.0-9, LVEManager-0.6-21

    Quote:
    Changelog:
    CageFS
    - Configure pam_lve for CageFS (redone, bugfix)
    - Fixed content disclosure vulnerability. Special thanks to Patrick H. and Steven Ciaburri from Rack911.com for discovering the vulnerability
    It is strongly recommended that you upgrade.
    link: CloudLinux - Content Disclosure Vulnerability (R911-0049) - Hosting Software and Control Panels - Web Hosting Talk
    Siga-nos em nosso twitter: @wht_brasil

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Nov 2010
    Posts
    1,609
    Opa, eu nem fico mais espantado hauhauahua
    oGigante.com*• Revenda de Hospedagem Cloud Linux + WHMCS Grátis
    VWhost.com.br • Revenda de Hospedagem Linux Cpanel + CloudFlare
    Zocka.com.br • Hospedagem de Sites Cpanel + Construtor de Sites

  3. #3
    Web Hosting Guru
    Data de Ingresso
    May 2011
    Posts
    331
    Agora uma dúvida: O Cloudlinux faz atualização automatica ou temos que fazer algo manualmente?

  4. #4
    Web Hosting Guru
    Data de Ingresso
    May 2011
    Posts
    331
    Achei aqui

    How Can I setup auto-update for CloudLinux?
    Posted by Igor Seletskiy on 03 April 2011 02:41 PM
    If you are running cPanel, cPanel will automatically update packages. Otherwise:



    Edit file /etc/yum/yum-updatesd.conf

    Set:
    do_update = yes
    do_download=yes
    do_download_deps=yes

    Make sure service yum-updatesd is running. You can start it via:

    # service yum-updatesd start

  5. #5
    {topmember}
    Data de Ingresso
    Nov 2010
    Localização
    Rio de Janeiro
    Posts
    596
    A correção final na versão stable já saiu:

    Security Update: CageFS-5.0-9, LVEManager-0.6-21

    Basta executar

    Código:
    yum update cagefs lvemanager
    Última edição por DuranDuran; 14-08-2013 às 05:22.
    _________________________
    Alexandre Duran
    MegaHost ISP - Meganick IDC - DigitalSSL
    [B]Hospedagem de Sites - Servidores Dedicados

  6. #6
    Web Hosting Guru
    Data de Ingresso
    May 2011
    Posts
    331
    Sempre aparece isso, deve ser automatico mesmo.


    Skipping security plugin, no data
    Setting up Update Process
    Package(s) cagefs available, but not installed.
    No Packages marked for Update

  7. #7
    WHT-BR Top Member
    Data de Ingresso
    Nov 2010
    Posts
    1,609
    Citação Postado originalmente por maksol Ver Post
    Sempre aparece isso, deve ser automatico mesmo.


    Skipping security plugin, no data
    Setting up Update Process
    Package(s) cagefs available, but not installed.
    No Packages marked for Update
    Na verdade o cagefs não é instalado por padrão no cloudlinux.

    Para atualizar o cloudlinux basta digitar:

    yum update
    oGigante.com*• Revenda de Hospedagem Cloud Linux + WHMCS Grátis
    VWhost.com.br • Revenda de Hospedagem Linux Cpanel + CloudFlare
    Zocka.com.br • Hospedagem de Sites Cpanel + Construtor de Sites

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •