Impact of latest operating system security patches released to address Stack Clash vulnerability (CVE-2017-1000364) in Linux, Solaris and BSD-based systems on Tibco Datasynapse group of products like Silver Fabric and GridServer
Article ID: KB0083875
Updated On:
| Products | Versions |
|---|---|
| TIBCO Silver Fabric | - |
Description
We have had reports of Silver Fabric /GridServer engines and daemons crashing after updating to kernel version with the patch for Stack Clash vulnerability (CVE-2017-1000364: Stack Guard flaw).
Till now Issues have been reported for the following Kernel Version upgrade:
2.6.32-696.3.2
3.10.0-514.21.2.el7.x86_64
Stack Clash vulnerability CVE:
CVE-2017-1000364 for the Linux kernel.
CVE-2017-10000366 for glibc.
Error :
Sample hs_err_pind<xxxx>.log
====================================================================
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGBUS (0x7) at pc=0x00007f6e8a92c461, pid=21747, tid=140112822265632
#
# JRE version: (7.0_91-b15) (build )
# Java VM: Java HotSpot(TM) 64-Bit Server VM (24.91-b03 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# j java.lang.Object.<clinit>()V+0
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
#
--------------- T H R E A D ---------------
......
......
......
Stack: [0x00007ffd3816e000,0x00007ffd381ee000], sp=0x00007ffd381ea4b0, free space=497k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
j java.lang.Object.<clinit>()V+0
v ~StubRoutines::call_stub
V [libjvm.so+0x602145] JavaCalls::call_helper(JavaValue*, methodHandle*, JavaCallArguments*, Thread*)+0x365
V [libjvm.so+0x600ba8] JavaCalls::call(JavaValue*, methodHandle, JavaCallArguments*, Thread*)+0x28
V [libjvm.so+0x5c501a] instanceKlass::call_class_initializer(Thread*)+0xca
V [libjvm.so+0x5c5274] instanceKlass::initialize_impl(instanceKlassHandle, Thread*)+0x234
V [libjvm.so+0x5c56ca] instanceKlass::initialize(Thread*)+0x6a
V [libjvm.so+0x5c550b] instanceKlass::initialize_impl(instanceKlassHandle, Thread*)+0x4cb
V [libjvm.so+0x5c56ca] instanceKlass::initialize(Thread*)+0x6a
V [libjvm.so+0x95e002] Threads::create_vm(JavaVMInitArgs*, bool*)+0x402
V [libjvm.so+0x63b474] JNI_CreateJavaVM+0x74
C [hawkagent_production+0x8d1c] __cxa_guard_acquire@@CXXABI_1.3+0x8d1c
--------------- P R O C E S S ---------------
Java Threads: ( => current thread )
=>0x0000000002476800 JavaThread "Unknown thread" [_thread_in_Java, id=21747, stack(0x00007ffd3816e000,0x00007ffd381ee000)]
Other Threads:
0x00000000024d6000 VMThread [stack: 0x00007f6e88436000,0x00007f6e88537000] [id=21754]
====================================================================
Please refer the following online articles for more information on this,
-Stack Clash security advisory
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
-Vendor advisories:
SUSE
https://www.novell.com/support/kb/doc.php?id=7020973
Red Hat
https://access.redhat.com/security/vulnerabilities/stackguard
Debian
https://www.debian.org/security/2017/dsa-3886
https://www.debian.org/security/2017/dsa-3887
https://www.debian.org/security/2017/dsa-3888
https://www.debian.org/security/2017/dsa-3889
Ubuntu
https://www.ubuntu.com/usn/
OpenBSD
https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig
Oracle Solaris
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
Till now Issues have been reported for the following Kernel Version upgrade:
2.6.32-696.3.2
3.10.0-514.21.2.el7.x86_64
Stack Clash vulnerability CVE:
CVE-2017-1000364 for the Linux kernel.
CVE-2017-10000366 for glibc.
Error :
Sample hs_err_pind<xxxx>.log
====================================================================
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGBUS (0x7) at pc=0x00007f6e8a92c461, pid=21747, tid=140112822265632
#
# JRE version: (7.0_91-b15) (build )
# Java VM: Java HotSpot(TM) 64-Bit Server VM (24.91-b03 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# j java.lang.Object.<clinit>()V+0
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
#
--------------- T H R E A D ---------------
......
......
......
Stack: [0x00007ffd3816e000,0x00007ffd381ee000], sp=0x00007ffd381ea4b0, free space=497k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
j java.lang.Object.<clinit>()V+0
v ~StubRoutines::call_stub
V [libjvm.so+0x602145] JavaCalls::call_helper(JavaValue*, methodHandle*, JavaCallArguments*, Thread*)+0x365
V [libjvm.so+0x600ba8] JavaCalls::call(JavaValue*, methodHandle, JavaCallArguments*, Thread*)+0x28
V [libjvm.so+0x5c501a] instanceKlass::call_class_initializer(Thread*)+0xca
V [libjvm.so+0x5c5274] instanceKlass::initialize_impl(instanceKlassHandle, Thread*)+0x234
V [libjvm.so+0x5c56ca] instanceKlass::initialize(Thread*)+0x6a
V [libjvm.so+0x5c550b] instanceKlass::initialize_impl(instanceKlassHandle, Thread*)+0x4cb
V [libjvm.so+0x5c56ca] instanceKlass::initialize(Thread*)+0x6a
V [libjvm.so+0x95e002] Threads::create_vm(JavaVMInitArgs*, bool*)+0x402
V [libjvm.so+0x63b474] JNI_CreateJavaVM+0x74
C [hawkagent_production+0x8d1c] __cxa_guard_acquire@@CXXABI_1.3+0x8d1c
--------------- P R O C E S S ---------------
Java Threads: ( => current thread )
=>0x0000000002476800 JavaThread "Unknown thread" [_thread_in_Java, id=21747, stack(0x00007ffd3816e000,0x00007ffd381ee000)]
Other Threads:
0x00000000024d6000 VMThread [stack: 0x00007f6e88436000,0x00007f6e88537000] [id=21754]
====================================================================
Please refer the following online articles for more information on this,
-Stack Clash security advisory
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
-Vendor advisories:
SUSE
https://www.novell.com/support/kb/doc.php?id=7020973
Red Hat
https://access.redhat.com/security/vulnerabilities/stackguard
Debian
https://www.debian.org/security/2017/dsa-3886
https://www.debian.org/security/2017/dsa-3887
https://www.debian.org/security/2017/dsa-3888
https://www.debian.org/security/2017/dsa-3889
Ubuntu
https://www.ubuntu.com/usn/
OpenBSD
https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig
Oracle Solaris
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
Issue/Introduction
Impact of latest operating system security patches released to address Stack Clash vulnerability (CVE-2017-1000364) in Linux, Solaris and BSD-based systems on Tibco products like Silver Fabric and Grid Server
Environment
OS : Linux, Solaris and BSD-based systems kernel version (2.6.32-696.3.2 / 3.10.0-514.21.2)
Resolution
This is a known issue introduced with security patches released to address Stack Clash vulnerability (CVE-2017-1000364) on Linux, Solaris and BSD-based systems. Linux vendors are currently working on a permanent solution for this issue. View RHEL Article: https://access.redhat.com/solutions/3091371 .
There is no work around for this issue for the Tibco Datasynapse group of products like Silver Fabric and GridServer at the minute. The only option is to roll back the patch and open a case with your OS vendor, as we expect all Linux vendors will very soon release a new patch with a permanent solution. Tibco depends on OS vendors assurances of backward compatibility for the new patch and we strongly encourage customers to establish and follow best practices for patch management i.e. Prior to being applied on production systems, patches should be successfully tested against relevant configurations on non‐production systems.
Disclaimer:
TIBCO provides this information regarding exposure to the known vulnerability or Operating System Known issues in good faith and makes reasonable efforts to supply correct, current, and high-quality guidance. However, TIBCO is releasing the results of our findings solely on an "as is" basis without any express or implied warranties, undertakings or guarantees.
There is no work around for this issue for the Tibco Datasynapse group of products like Silver Fabric and GridServer at the minute. The only option is to roll back the patch and open a case with your OS vendor, as we expect all Linux vendors will very soon release a new patch with a permanent solution. Tibco depends on OS vendors assurances of backward compatibility for the new patch and we strongly encourage customers to establish and follow best practices for patch management i.e. Prior to being applied on production systems, patches should be successfully tested against relevant configurations on non‐production systems.
Disclaimer:
TIBCO provides this information regarding exposure to the known vulnerability or Operating System Known issues in good faith and makes reasonable efforts to supply correct, current, and high-quality guidance. However, TIBCO is releasing the results of our findings solely on an "as is" basis without any express or implied warranties, undertakings or guarantees.
Additional Information
+ References For CVE-2017-1000364
https://access.redhat.com/solutions/3091371
https://www.suse.com/security/cve/CVE-2017-1000364/
https://www.suse.com/support/kb/doc/?id=7020973
https://issues.apache.org/jira/browse/DAEMON-363
https://issues.apache.org/jira/browse/DAEMON-364
https://issues.apache.org/jira/browse/DAEMON-365
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000364.html
http://www.cvedetails.com/cve/CVE-2017-1000364/
https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/
https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
https://nvd.nist.gov/vuln/detail/CVE-2017-1000364
https://community.ubnt.com/t5/UniFi-Wireless/Unifi-Controller-and-Debian-8-kernel-upgrade/td-p/1967647
https://bugzilla.redhat.com/show_bug.cgi?id=1463241
https://access.redhat.com/solutions/3091371
https://www.suse.com/security/cve/CVE-2017-1000364/
https://www.suse.com/support/kb/doc/?id=7020973
https://issues.apache.org/jira/browse/DAEMON-363
https://issues.apache.org/jira/browse/DAEMON-364
https://issues.apache.org/jira/browse/DAEMON-365
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000364.html
http://www.cvedetails.com/cve/CVE-2017-1000364/
https://www.cyberciti.biz/faq/howto-patch-linux-kernel-stack-clash-vulnerability-cve-2017-1000364/
https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
https://nvd.nist.gov/vuln/detail/CVE-2017-1000364
https://community.ubnt.com/t5/UniFi-Wireless/Unifi-Controller-and-Debian-8-kernel-upgrade/td-p/1967647
https://bugzilla.redhat.com/show_bug.cgi?id=1463241
Feedback
Yes
No
Powered by
