AaronArmagost

Privileged Identity Manager (PIM) and Privileged Access Manager Server Control (PAMSC) with Meltdown Linux Kernel Updates 

Discussion created by AaronArmagost Employee on Jan 10, 2018

This thread is created to provide updates on our compatibility with the Meltdown kernel patches released by the Linux OS vendors. 

 

Red Hat: 

It has been discovered that Red Hat 6 and Red Hat 7 64bit Kernel Updates and PIM will cause the system panic when starting our agent on the following kernel levels. 

 

RHEL 6 - 2.6.32-696.18.7.el6.x86_64
RHEL 7 - 3.10.0-693.11.6.el7.x86_64

 

PAMSC 14 fix have been released on the Solutions and Patches page. This also covers PIM 14 Enterprise Manager on Linux with the embedded PAMSC endpoint. 

 

PIM 12.6.3 fix for Red Hat 6 has been released on Solutions and Patches page as SO00057.

PIM 12.8 GA fix for Red Hat 6 only has been released on the Solutions and Patches page as SO00058.

PIM 12.8 SP1 fix has been released on the Solutions and Patches page as SO00005.

 

PIM 12.9 (Management Servers) fix for Red Hat 6 has been released on Solutions and Patches page as SO00293.

PIM 12.9.1/12.9.2 (Management Servers) fix for Red Hat 6 has been released on Solutions and Patches page as SO00294.

 

Red Hat AUS/EUS:

PIM 12.8 SP1 fix for the following kernels on Red Hat has been released on Solutions and Patches page as SO00292.

RHEL 6.7 EUS, 6.x latest

2.6.32-573.49.3.el6.x86_64 - RHEL 6.7 - EUS

2.6.32-573.51.1.el6.x86_64 - RHEL 6.7 - EUS 

2.6.32-696.18.7.el6.x86_64 - RHEL 6.x - latest

 

RHEL 7.2, 7.3 EUS/AUS, 7.x latest

3.10.0-327.62.4.el7.x86_64 - RHEL 7.2 - AUS

3.10.0-514.36.5.el7.x86_64 - RHEL 7.3 - EUS

3.10.0-693.11.6.el7.x86_64 - RHEL 7.4 - latest

 

Due to Red Hat restrictions we are unable to provide updates for the following AUS kernels. 

RHEL6.2 AUS kernel-2.6.32-220.77.1.el6.x86_64(RHBA-2018:0120)
RHEL6.5 AUS kernel-2.6.32-431.86.1.el6.x86_64(RHBA-2018:0119)

 

Red Hat 5

RHEL 5, 2.6.18-426.el5, which was released on 2/7/2018 has been tested with PIM endpoint and no update is required to our SEOS_syscall.
https://access.redhat.com/errata/RHSA-2018:0292

 

Important! 

We are unable to make a Red Hat 7 fix for PIM 12.8 GA. It is required to upgrade to 12.8 SP1 full fixes to support Meltdown. (SO00290 - install_base | SO00277 - RPM)

 

s390x
We have done our testing on Red Hat 7.4 and SLES 12.3 running on s390x with our exiting modules. No updates are required on s390x systems based on our testing.

Latest kernel modules we have tested.
RHEL - 3.10.0-693.17.1.el7.s390x
SLES - 4.4.114-94.11-default

 

 

SUSE:

We have found not all versions of SUSE Linux with the meltdown kernel patch will require an updated SEOS_syscall. Here is the breakdown of what passed and failed.

 

Passed – no patch needed:

SLES 11.4 - kernel-default-3.0.101-108.21.1

SLES 12.0 - kernel-default-3.12.61-52.111.1

SLES 12.1 - kernel-default-3.12.74-60.64.69.1

 

Failed – Patch Required

SLES 12.2 - 4.4.103-92.56-default

SLES 12.3 - 4.4.103-6.38-default

 

PIM 12.8.1 fix for SUSE 12.2 and 12.3 has been released on Solutions and Patches page as SO00152. 

 

Oracle Enterprise Linux:

It has been discovered that Oracle Enterprise Linux 7 running UEKr4 kernels will require an updated SEOS_syscall module. 

 

OEL 6.x, 7.x UEKr4 - latest

4.1.12-94.7.8.el6uek.x86_64

4.1.12-112.14.5.el6uek.x86_64

4.1.12-112.14.10.el6uek.x86_64

4.1.12-94.7.8.el7uek.x86_64

4.1.12-112.14.5.el7uek.x86_64

4.1.12-112.14.10.el7uek.x86_64

 

PIM 12.8.1 fix for OEL 6 & OEL 7 has been released on Solutions and Patches page as SO00248.

 

Ubuntu: 

We have added the following kernel support to PAMSC 14.01 Rollup Patch for Meltdown 

Ubuntu 16:

4.4.0-109-generic
Ubuntu 17
4.10.0-42-generic

 

 

Full Install Packages: 

We have created full rollup install patches for 12.8 SP1 

SO00290 - install_base | SO00277 - RPM

 

These packages include support for the following kernels: 

RHEL 6.7 EUS, 6.x latest

2.6.32-573.49.3.el6.x86_64 - RHEL 6.7 - EUS

2.6.32-573.51.1.el6.x86_64 - RHEL 6.7 - EUS (same module)

2.6.32-696.18.7.el6.x86_64 - RHEL 6.x - latest

 

RHEL 7.2, 7.3 EUS/AUS, 7.x latest

3.10.0-327.62.4.el7.x86_64 - RHEL 7.2 - AUS

3.10.0-514.36.5.el7.x86_64 - RHEL 7.3 - EUS

3.10.0-693.11.6.el7.x86_64 - RHEL 7.4 - latest

 

OEL 6.x, 7.x UEKr4 - latest

4.1.12-94.7.8.el6uek.x86_64

4.1.12-112.14.5.el6uek.x86_64

4.1.12-112.14.10.el6uek.x86_64

4.1.12-94.7.8.el7uek.x86_64

4.1.12-112.14.5.el7uek.x86_64

4.1.12-112.14.10.el7uek.x86_64

 

SLES 12.2, 12.3

4.4.103-92.56-default - SLES 12.2 - latest

4.4.103-6.38-default - SLES 12.3 - latest

 

IBM AIX

We have tested IBM's AIX 7.1 patch without any problems with our SEOS_syscall module. 

# oslevel -s
7100-03-05-1524

 

Please follow this thread as it will be updated when patches are published. 

 

Thank you, 

 

Aaron Armagost
Manager, Software Engineering (CA)

Outcomes