Page MenuHomePhabricator

CVE CVE-2021-33910 (systemd crash) on Cloud VPS
Closed, ResolvedPublic

Description

https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt

We need to check whether or not unattended upgrades are fixing this automatically.

241-7~deb10u8 is the fixed version for buster,
232-25+deb9u13 is fixed version in stretch

A simple upgrade should resolve the issue once packages are available:

# apt-get install systemd systemd-sysv udev libudev1 libsystemd0 libpam-systemd libnss-systemd

Event Timeline

Andrew triaged this task as Unbreak Now! priority.Tue, Jul 20, 1:31 PM
Andrew updated the task description. (Show Details)
Andrew updated the task description. (Show Details)

I've confirmed that newly-built VMs get the latest version of systemd, thanks to cloud-init doing an upgrade at build time.

Rolling out manually on Toolforge k8s nodes (buster and somewhat user-accessible):

taavi@tools-clushmaster-02:~ $ clush -w "@k8s" "sudo DEBIAN_FRONTEND=noninteractive apt-get -q -y --assume-no -o DPkg::Options::="--force-confdef" -o DPkg::Options::="--force-confold" install systemd systemd-sysv udev libudev1 libsystemd0 libpam-systemd libnss-systemd"

Also deployed by hand on the Buster bastions.

root@abogott-puppetclient:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster
root@abogott-puppetclient:~# dpkg --list | grep systemd
ii  dbus-user-session                    1.12.20-0+deb10u1                 amd64        simple interprocess messaging system (systemd --user integration)
ii  libnss-systemd:amd64                 241-7~deb10u7                     amd64        nss module providing dynamic user and group name resolution
ii  libpam-systemd:amd64                 241-7~deb10u7                     amd64        system and service manager - PAM module
ii  libsystemd0:amd64                    241-7~deb10u7                     amd64        systemd utility library
ii  systemd                              241-7~deb10u7                     amd64        system and service manager
ii  systemd-sysv                         241-7~deb10u7                     amd64        system and service manager - SysV links

But after a forced run of unattended-upgrades:

root@abogott-puppetclient:~# dpkg --list | grep systemd
ii  dbus-user-session                    1.12.20-0+deb10u1                 amd64        simple interprocess messaging system (systemd --user integration)
ii  libnss-systemd:amd64                 241-7~deb10u8                     amd64        nss module providing dynamic user and group name resolution
ii  libpam-systemd:amd64                 241-7~deb10u8                     amd64        system and service manager - PAM module
ii  libsystemd0:amd64                    241-7~deb10u8                     amd64        systemd utility library
ii  systemd                              241-7~deb10u8                     amd64        system and service manager
ii  systemd-sysv                         241-7~deb10u8

So probably we don't need to do anything for this but let's check back in 24 hours.

Mentioned in SAL (#wikimedia-cloud) [2021-07-20T18:42:35Z] <majavah> deploying systemd security tools on toolforge public stretch machines T287004

Majavah lowered the priority of this task from Unbreak Now! to High.Wed, Jul 21, 8:48 AM

Unattended-upgrades seems to have done its job, checked tools and deployment-prep and everything had updated except the bastions which have backported systemd and a subtask

Should we close this or are there still toolforge edge cases that require package building?

Bstorm added a subscriber: Bstorm.

That should have been the only edge case. We didn't mess with systemd elsewhere.