Symantec Privileged Access Management

Expand all | Collapse all

Privileged Identity Manager (PIM) and Privileged Access Manager Server Control (PAMSC) with Meltdown Linux Kernel Updates 

  • 1.  Privileged Identity Manager (PIM) and Privileged Access Manager Server Control (PAMSC) with Meltdown Linux Kernel Updates 

    Posted 01-10-2018 04:41 PM

    This thread is created to provide updates on our compatibility with the Meltdown kernel patches released by the Linux OS vendors. 

     

    Red Hat: 

    It has been discovered that Red Hat 6 and Red Hat 7 64bit Kernel Updates and PIM will cause the system panic when starting our agent on the following kernel levels. 

     

    RHEL 6 - 2.6.32-696.18.7.el6.x86_64
    RHEL 7 - 3.10.0-693.11.6.el7.x86_64

     

    PAMSC 14 fix have been released on the Solutions and Patches page. This also covers PIM 14 Enterprise Manager on Linux with the embedded PAMSC endpoint. 

     

    PIM 12.6.3 fix for Red Hat 6 has been released on Solutions and Patches page as SO00057.

    PIM 12.8 GA fix for Red Hat 6 only has been released on the Solutions and Patches page as SO00058.

    PIM 12.8 SP1 fix has been released on the Solutions and Patches page as SO00005.

     

    PIM 12.9 (Management Servers) fix for Red Hat 6 has been released on Solutions and Patches page as SO00293.

    PIM 12.9.1/12.9.2 (Management Servers) fix for Red Hat 6 has been released on Solutions and Patches page as SO00294.

     

    Red Hat AUS/EUS:

    PIM 12.8 SP1 fix for the following kernels on Red Hat has been released on Solutions and Patches page as SO00292.

    RHEL 6.7 EUS, 6.x latest

    2.6.32-573.49.3.el6.x86_64 - RHEL 6.7 - EUS

    2.6.32-573.51.1.el6.x86_64 - RHEL 6.7 - EUS 

    2.6.32-696.18.7.el6.x86_64 - RHEL 6.x - latest

     

    RHEL 7.2, 7.3 EUS/AUS, 7.x latest

    3.10.0-327.62.4.el7.x86_64 - RHEL 7.2 - AUS

    3.10.0-514.36.5.el7.x86_64 - RHEL 7.3 - EUS

    3.10.0-693.11.6.el7.x86_64 - RHEL 7.4 - latest

     

    Due to Red Hat restrictions we are unable to provide updates for the following AUS kernels. 

    RHEL6.2 AUS kernel-2.6.32-220.77.1.el6.x86_64(RHBA-2018:0120)
    RHEL6.5 AUS kernel-2.6.32-431.86.1.el6.x86_64(RHBA-2018:0119)

     

    Red Hat 5

    RHEL 5, 2.6.18-426.el5, which was released on 2/7/2018 has been tested with PIM endpoint and no update is required to our SEOS_syscall.
    https://access.redhat.com/errata/RHSA-2018:0292

     

    Important! 

    We are unable to make a Red Hat 7 fix for PIM 12.8 GA. It is required to upgrade to 12.8 SP1 full fixes to support Meltdown. (SO00290 - install_base | SO00277 - RPM)

     

    s390x
    We have done our testing on Red Hat 7.4 and SLES 12.3 running on s390x with our exiting modules. No updates are required on s390x systems based on our testing.

    Latest kernel modules we have tested.
    RHEL - 3.10.0-693.17.1.el7.s390x
    SLES - 4.4.114-94.11-default

     

     

    SUSE:

    We have found not all versions of SUSE Linux with the meltdown kernel patch will require an updated SEOS_syscall. Here is the breakdown of what passed and failed.

     

    Passed – no patch needed:

    SLES 11.4 - kernel-default-3.0.101-108.21.1

    SLES 12.0 - kernel-default-3.12.61-52.111.1

    SLES 12.1 - kernel-default-3.12.74-60.64.69.1

     

    Failed – Patch Required

    SLES 12.2 - 4.4.103-92.56-default

    SLES 12.3 - 4.4.103-6.38-default

     

    PIM 12.8.1 fix for SUSE 12.2 and 12.3 has been released on Solutions and Patches page as SO00152. 

     

    Oracle Enterprise Linux:

    It has been discovered that Oracle Enterprise Linux 7 running UEKr4 kernels will require an updated SEOS_syscall module. 

     

    OEL 6.x, 7.x UEKr4 - latest

    4.1.12-94.7.8.el6uek.x86_64

    4.1.12-112.14.5.el6uek.x86_64

    4.1.12-112.14.10.el6uek.x86_64

    4.1.12-94.7.8.el7uek.x86_64

    4.1.12-112.14.5.el7uek.x86_64

    4.1.12-112.14.10.el7uek.x86_64

     

    PIM 12.8.1 fix for OEL 6 & OEL 7 has been released on Solutions and Patches page as SO00248.

     

    Ubuntu: 

    We have added the following kernel support to PAMSC 14.01 Rollup Patch for Meltdown 

    Ubuntu 16:

    4.4.0-109-generic
    Ubuntu 17
    4.10.0-42-generic

     

     

    Full Install Packages: 

    We have created full rollup install patches for 12.8 SP1 

    SO00290 - install_base | SO00277 - RPM

     

    These packages include support for the following kernels: 

    RHEL 6.7 EUS, 6.x latest

    2.6.32-573.49.3.el6.x86_64 - RHEL 6.7 - EUS

    2.6.32-573.51.1.el6.x86_64 - RHEL 6.7 - EUS (same module)

    2.6.32-696.18.7.el6.x86_64 - RHEL 6.x - latest

     

    RHEL 7.2, 7.3 EUS/AUS, 7.x latest

    3.10.0-327.62.4.el7.x86_64 - RHEL 7.2 - AUS

    3.10.0-514.36.5.el7.x86_64 - RHEL 7.3 - EUS

    3.10.0-693.11.6.el7.x86_64 - RHEL 7.4 - latest

     

    OEL 6.x, 7.x UEKr4 - latest

    4.1.12-94.7.8.el6uek.x86_64

    4.1.12-112.14.5.el6uek.x86_64

    4.1.12-112.14.10.el6uek.x86_64

    4.1.12-94.7.8.el7uek.x86_64

    4.1.12-112.14.5.el7uek.x86_64

    4.1.12-112.14.10.el7uek.x86_64

     

    SLES 12.2, 12.3

    4.4.103-92.56-default - SLES 12.2 - latest

    4.4.103-6.38-default - SLES 12.3 - latest

     

    IBM AIX

    We have tested IBM's AIX 7.1 patch without any problems with our SEOS_syscall module. 

    # oslevel -s
    7100-03-05-1524

     

    Please follow this thread as it will be updated when patches are published. 

     

    Thank you, 

     

    Aaron Armagost
    Manager, Software Engineering (CA)



  • 2.  RE: Privileged Identity Manager (PIM) and Privileged Access Manager Server Control (PAMSC) with Meltdown Linux Kernel Updates 

    Posted 10-18-2019 03:05 AM
    Hi, it looks like Broadcon is not "continuously improving software patch delivery with higher quality and ease of deployment" .We are currently on suse 15 but we have not an AC agent ready for it.

    Please, can you deliver a new Agent or  path to get this operative system (suse 15) version working?


  • 3.  RE: Privileged Identity Manager (PIM) and Privileged Access Manager Server Control (PAMSC) with Meltdown Linux Kernel Updates 

    Posted 10-18-2019 12:11 PM
    Hi Javier,

    It appears as though you are replying to a year-old post about Meltdown vulnerability requesting compatibility for SUSE 15. Certification requests should be created as Ideas in the Communities as product management monitors ideas closely. Please create an idea for this certification request.

    Thanks,
    Brian Rehder


  • 4.  RE: Privileged Identity Manager (PIM) and Privileged Access Manager Server Control (PAMSC) with Meltdown Linux Kernel Updates 

    Posted 10-18-2019 05:18 PM
    Done, thanks!






  • 5.  RE: Privileged Identity Manager (PIM) and Privileged Access Manager Server Control (PAMSC) with Meltdown Linux Kernel Updates 

    Posted 10-23-2019 06:54 AM
    On the other hand, according to Broadcom in the following URL:
    
    https://techdocs.broadcom.com/us/product-content/recommended-reading/announcements/change-in-platform-certification-announcement-for-ca-access-control.html
    
    SuSE Linux is included in the so-called "Tier 1" in which the output of the versions of compatible agents will take between 4 and 6 months. This URL speaks even between 1 and 2 months for service packs.
    
    Given that according to the SuSE Linux website (https://www.suse.com/lifecycle/) version 15 of SuSE Linux was released on July 16, 2018, and version 15 SP1 of Linux was released on June 24 of 2019, the corresponding versions of the CA Access Control agent that will be released on December 16, 2018 and August 24, 2019, respectively. However, none of them is currently available.