Hornbill Blog

Security: Dirty COW Security Hole Discovered

A fairly nasty security bug CVE-2016-5195 nicknamed Dirty COW was found by Phil Oester, a Linux Security researcher.  The flaw is relatively easy to exploit so its important to patch this on your systems ASAP, everyone running Linux will have this problem.  RedHat’s description can be found here and relating to the issue states:-

"A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.  An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."

The security issue has been in the Linux kernel for a long time but has only recently been uncovered, it is not known if this problem has been exploited or not, there is no known instances of it but thats not to say it has not been.  However, now this vulnerability is a known problem we can expect attacks to follow so anyone running a linux environment should be patching this as soon as possible. 

Hornbill’s own cloud environment is all run on a CentOS distribution of Linux so our systems have had that vulnerability.  We are lucky in a sense because we do not provide direct access to our systems outside of our own network.  All end user access is provided through our application services and API’s which are not vulnerable to the problem.  In theory an attacker could chain this exploit together with another security issue it could be possible to exploit but thats a pretty unlikely scenario. 

Of course, as soon as we got to know about the issue we reviewed our systems to make sure there was no direct way for anyone outside of our own network to exploit this on our systems and ensure there was not immediate risk to our customers data, and then we waited patiently for a patch to be developed by the security experts in the Linux community. 

We use http://spacewalk.redhat.com/ to manage all our internal Linux servers so pushing out the patch and confirming it has been applied is trivial. We always push out changes to our development and test environment in order to confirm that our systems are still working as expected.  We then push the change into our production systems, generally 48 hours after. This particular change is a little tricker than usual as its a Kernel update it requires a restart of the servers to make sure the patch is actually applied, and this needs to be done while not disrupting service. 

We have now patched all of our servers at all global locations and everything is up and running without issue.

Latest Posts

  • We are getting ready for INSIGHTS 19

    Feb 12, 2019
    News Item

    I am excited to tell you that we have been busy at Hornbill, planning and organizing our next annual conference, INSIGHTS 19. This event is the highlight of our year at Hornbill, as we create it for our community. It brings our customers, prospects,...

  • Love me Tender

    Jan 22, 2019
    Collaborative Service Management

     Although Elvis Presley and Vera Matson were given the credit, the principal writer of “Love me tender” was Ken Darby. At the time, Elvis’ publishing deal demanded that writers concede 50% of the credit for the song if they wanted Presley to record...

  • Be the change you so desperately seek!

    Sep 23, 2018
    Blog Posts

    I love the idea of this quote, attributed to the wise man Mahatma Gandhi this simple quote is profound because it strikes right at the heart of human behavior.   In every part of our lives, there is change, and most of it is outside of our control;...

  • Why do people struggle to follow processes?

    Aug 27, 2018
    Blog Posts

    Many a great manager has asked themselves the time-honored question; How do you make people follow procedures and not miss things?  Having more or less documented the processes, and having put them into your knowledge base tool, and having created...

  • Release Roundup - Customer Feedback

    Jul 30, 2018
    Release Roundup

    Hornbill is deployed using Continuous Delivery, and this means we typically make multiple incremental releases every week. As well as providing essential fixes, we also release new features as and when they become available. To supplement the more...

Subscribe to our mailing list and keep up with our latest software updates.