The Dnsmasq security problem announced in [1] affects Apache CloudStack
(ACS) virtual routers (VRs). The steps for upgrading are as follows.
* For each type of hypervisor in use in the cloud you should check the
template in use. The parameter that indicates the template in use
is: router.template. <Hypervisor>. Thus, if you want to check the
template in use for XenServer, the parameter to be checked is:
router.template.xenserver. This parameter holds the name of the
template that is used by ACS to instantiate a VR.
* After identifying the templates you must execute the downloads of
them and start them in a player like Virtualbox. To access the
templates the user is "root" and the password "password". With the
VM running on the player (eg Virtualbox)
* Run: `aptitude update; aptitude install dnsmasq`
* After that, you must load (register) the updated templates in ACS
again. In the registration process it is necessary to mark the
templates with type "routing" and the option of "HVM" must be
deselected. In addition, you should not make this template public or
featured.
* With the new templates in ACS, you should change the parameters
"router.template. <Hypervisor>", to reflect the name of the newly
update template.
Doing that, the VR template will be updated with the Dnsmasq 2.62-3 +
deb7u4 package that contains the fix for the problem reported in [1].
However, this will only be valid for new VRs. To update the VRs already
running there are two possibilities: ( i) destroying them and waiting
for ACS to recreate them (this generates unavailability for users' VMs),
or (ii) accessing VRs and using the "aptitude update" ; aptitude install
dnsmasq "
[1]
https://coreos.com/blog/dns-vulnerability-patched-in-kubernetes-and-tectonic
On 10/10/2017 3:37 PM, Felipe Arturo Polanco wrote:
Hello,
Researchers have found an exploit in dnsmasq code which allows code
execution, I was wondering if the Virtual Router uses Dnsmasq for DHCP
assignment and also how can we protect it from being exploited.
Will there be a new System VM with patches applied? or can we just apt-get
update the VR and the patch will be applied?
Thanks,
--
Rafael Weingärtner
