Red Hat Security Advisory

Posted October 24, 2016 2.4k views

I received a Red Hat Security Advisory pertaining to a race condition that was found in the way the Linux kernel’s memory subsystem
handled the copy-on-write. Although this is a local user exploit it draws up the question, what is the turn-a-round time Digital Ocean will provide a kernel available to us when these exploit notifications are released?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

As far as I know, you are able to upgrade kernel to newer one which have it fixed. Even on DigitalOcean.

On day COW was disclosured, DigitalOcean published tutorial with steps needed to protect your Droplet. You can read it in How To Protect Your Server Against the Dirty COW Linux Vulnerability. It have steps for both Ubuntu/Debian and CentOS.

I hope you meant on this, sorry if I misunderstood the question

by Hazel Virdó
On October 21, 2016, a privilege escalation vulnerability in the Linux kernel was disclosed. The bug is nicknamed Dirty COW because the underlying issue was a race condition in the way kernel handles copy-on-write (COW). Exploiting this bug means that a regular, unprivileged user on your server can gain write access to any file they can read, and can therefore increase their privileges on the system. This tutorial explains how to protect your server from this vulnerability.
  • Yes I have tried this but cannot get a branded kernel to work with IP tables on your platform. When will Digital Ocean have a kernel available for Centos 7 to rectify this?

    • DigitalOcean let’s you manage kernel how you want. You should be to install any version you want.

      Keep in mind that if your Droplet is older you need to update to internally managed kernel and then use method in above article to update.
      Learn more about it in tutorial.

      For problems with iptables, or for any further instructions feel free to ask here or contact support.