Symantec Privileged Access Management

This thread is created to provide updates on our compatibility with the Meltdown kernel patches released by the Linux OS vendors. 

Red Hat: 

It has been discovered that Red Hat 6 and Red Hat 7 64bit Kernel Updates and PIM will cause the system panic when starting our agent on the following kernel levels. 

RHEL 6 - 2.6.32-696.18.7.el6.x86_64
RHEL 7 - 3.10.0-693.11.6.el7.x86_64

PAMSC 14 fix have been released on the Solutions and Patches page. This also covers PIM 14 Enterprise Manager on Linux with the embedded PAMSC endpoint. 

PIM 12.6.3 fix for Red Hat 6 has been released on Solutions and Patches page as SO00057.

PIM 12.8 GA fix for Red Hat 6 only has been released on the Solutions and Patches page as SO00058.

PIM 12.8 SP1 fix has been released on the Solutions and Patches page as SO00005.

PIM 12.9 (Management Servers) fix for Red Hat 6 has been released on Solutions and Patches page as SO00293.

PIM 12.9.1/12.9.2 (Management Servers) fix for Red Hat 6 has been released on Solutions and Patches page as SO00294.

Red Hat AUS/EUS:

PIM 12.8 SP1 fix for the following kernels on Red Hat has been released on Solutions and Patches page as SO00292.

RHEL 6.7 EUS, 6.x latest

2.6.32-573.49.3.el6.x86_64 - RHEL 6.7 - EUS

2.6.32-573.51.1.el6.x86_64 - RHEL 6.7 - EUS 

2.6.32-696.18.7.el6.x86_64 - RHEL 6.x - latest

RHEL 7.2, 7.3 EUS/AUS, 7.x latest

3.10.0-327.62.4.el7.x86_64 - RHEL 7.2 - AUS

3.10.0-514.36.5.el7.x86_64 - RHEL 7.3 - EUS

3.10.0-693.11.6.el7.x86_64 - RHEL 7.4 - latest

Due to Red Hat restrictions we are unable to provide updates for the following AUS kernels. 

RHEL6.2 AUS kernel-2.6.32-220.77.1.el6.x86_64(RHBA-2018:0120)
RHEL6.5 AUS kernel-2.6.32-431.86.1.el6.x86_64(RHBA-2018:0119)

Red Hat 5

RHEL 5, 2.6.18-426.el5, which was released on 2/7/2018 has been tested with PIM endpoint and no update is required to our SEOS_syscall.
https://access.redhat.com/errata/RHSA-2018:0292

Important! 

We are unable to make a Red Hat 7 fix for PIM 12.8 GA. It is required to upgrade to 12.8 SP1 full fixes to support Meltdown. (SO00290 - install_base | SO00277 - RPM)

s390x
We have done our testing on Red Hat 7.4 and SLES 12.3 running on s390x with our exiting modules. No updates are required on s390x systems based on our testing.

Latest kernel modules we have tested.
RHEL - 3.10.0-693.17.1.el7.s390x
SLES - 4.4.114-94.11-default

SUSE:

We have found not all versions of SUSE Linux with the meltdown kernel patch will require an updated SEOS_syscall. Here is the breakdown of what passed and failed.

Passed – no patch needed:

SLES 11.4 - kernel-default-3.0.101-108.21.1

SLES 12.0 - kernel-default-3.12.61-52.111.1

SLES 12.1 - kernel-default-3.12.74-60.64.69.1

Failed – Patch Required

SLES 12.2 - 4.4.103-92.56-default

SLES 12.3 - 4.4.103-6.38-default

PIM 12.8.1 fix for SUSE 12.2 and 12.3 has been released on Solutions and Patches page as SO00152. 

Oracle Enterprise Linux:

It has been discovered that Oracle Enterprise Linux 7 running UEKr4 kernels will require an updated SEOS_syscall module. 

OEL 6.x, 7.x UEKr4 - latest

4.1.12-94.7.8.el6uek.x86_64

4.1.12-112.14.5.el6uek.x86_64

4.1.12-112.14.10.el6uek.x86_64

4.1.12-94.7.8.el7uek.x86_64

4.1.12-112.14.5.el7uek.x86_64

4.1.12-112.14.10.el7uek.x86_64

PIM 12.8.1 fix for OEL 6 & OEL 7 has been released on Solutions and Patches page as SO00248.

Ubuntu: 

We have added the following kernel support to PAMSC 14.01 Rollup Patch for Meltdown 

Ubuntu 16:

4.4.0-109-generic
Ubuntu 17
4.10.0-42-generic

Full Install Packages: 

We have created full rollup install patches for 12.8 SP1 

SO00290 - install_base | SO00277 - RPM

These packages include support for the following kernels: 

RHEL 6.7 EUS, 6.x latest

2.6.32-573.49.3.el6.x86_64 - RHEL 6.7 - EUS

2.6.32-573.51.1.el6.x86_64 - RHEL 6.7 - EUS (same module)

2.6.32-696.18.7.el6.x86_64 - RHEL 6.x - latest

RHEL 7.2, 7.3 EUS/AUS, 7.x latest

3.10.0-327.62.4.el7.x86_64 - RHEL 7.2 - AUS

3.10.0-514.36.5.el7.x86_64 - RHEL 7.3 - EUS

3.10.0-693.11.6.el7.x86_64 - RHEL 7.4 - latest

OEL 6.x, 7.x UEKr4 - latest

4.1.12-94.7.8.el6uek.x86_64

4.1.12-112.14.5.el6uek.x86_64

4.1.12-112.14.10.el6uek.x86_64

4.1.12-94.7.8.el7uek.x86_64

4.1.12-112.14.5.el7uek.x86_64

4.1.12-112.14.10.el7uek.x86_64

SLES 12.2, 12.3

4.4.103-92.56-default - SLES 12.2 - latest

4.4.103-6.38-default - SLES 12.3 - latest

IBM AIX

We have tested IBM's AIX 7.1 patch without any problems with our SEOS_syscall module. 

# oslevel -s
7100-03-05-1524

Please follow this thread as it will be updated when patches are published. 

Thank you, 

Aaron Armagost
Manager, Software Engineering (CA)

This thread is created to provide updates on our compatibility with the Meltdown kernel patches released by the Linux OS vendors. 

Red Hat: 

It has been discovered that Red Hat 6 and Red Hat 7 64bit Kernel Updates and PIM will cause the system panic when starting our agent on the following kernel levels. 

RHEL 6 - 2.6.32-696.18.7.el6.x86_64
RHEL 7 - 3.10.0-693.11.6.el7.x86_64

PAMSC 14 fix have been released on the Solutions and Patches page. This also covers PIM 14 Enterprise Manager on Linux with the embedded PAMSC endpoint. 

PIM 12.6.3 fix for Red Hat 6 has been released on Solutions and Patches page as SO00057.

PIM 12.8 GA fix for Red Hat 6 only has been released on the Solutions and Patches page as SO00058.

PIM 12.8 SP1 fix has been released on the Solutions and Patches page as SO00005.

PIM 12.9 (Management Servers) fix for Red Hat 6 has been released on Solutions and Patches page as SO00293.

PIM 12.9.1/12.9.2 (Management Servers) fix for Red Hat 6 has been released on Solutions and Patches page as SO00294.

Red Hat AUS/EUS:

PIM 12.8 SP1 fix for the following kernels on Red Hat has been released on Solutions and Patches page as SO00292.

RHEL 6.7 EUS, 6.x latest

2.6.32-573.49.3.el6.x86_64 - RHEL 6.7 - EUS

2.6.32-573.51.1.el6.x86_64 - RHEL 6.7 - EUS 

2.6.32-696.18.7.el6.x86_64 - RHEL 6.x - latest

RHEL 7.2, 7.3 EUS/AUS, 7.x latest

3.10.0-327.62.4.el7.x86_64 - RHEL 7.2 - AUS

3.10.0-514.36.5.el7.x86_64 - RHEL 7.3 - EUS

3.10.0-693.11.6.el7.x86_64 - RHEL 7.4 - latest

Due to Red Hat restrictions we are unable to provide updates for the following AUS kernels. 

RHEL6.2 AUS kernel-2.6.32-220.77.1.el6.x86_64(RHBA-2018:0120)
RHEL6.5 AUS kernel-2.6.32-431.86.1.el6.x86_64(RHBA-2018:0119)

Red Hat 5

RHEL 5, 2.6.18-426.el5, which was released on 2/7/2018 has been tested with PIM endpoint and no update is required to our SEOS_syscall.
https://access.redhat.com/errata/RHSA-2018:0292

Important! 

We are unable to make a Red Hat 7 fix for PIM 12.8 GA. It is required to upgrade to 12.8 SP1 full fixes to support Meltdown. (SO00290 - install_base | SO00277 - RPM)

s390x
We have done our testing on Red Hat 7.4 and SLES 12.3 running on s390x with our exiting modules. No updates are required on s390x systems based on our testing.

Latest kernel modules we have tested.
RHEL - 3.10.0-693.17.1.el7.s390x
SLES - 4.4.114-94.11-default

SUSE:

We have found not all versions of SUSE Linux with the meltdown kernel patch will require an updated SEOS_syscall. Here is the breakdown of what passed and failed.

Passed – no patch needed:

SLES 11.4 - kernel-default-3.0.101-108.21.1

SLES 12.0 - kernel-default-3.12.61-52.111.1

SLES 12.1 - kernel-default-3.12.74-60.64.69.1

Failed – Patch Required

SLES 12.2 - 4.4.103-92.56-default

SLES 12.3 - 4.4.103-6.38-default

PIM 12.8.1 fix for SUSE 12.2 and 12.3 has been released on Solutions and Patches page as SO00152. 

Oracle Enterprise Linux:

It has been discovered that Oracle Enterprise Linux 7 running UEKr4 kernels will require an updated SEOS_syscall module. 

OEL 6.x, 7.x UEKr4 - latest

4.1.12-94.7.8.el6uek.x86_64

4.1.12-112.14.5.el6uek.x86_64

4.1.12-112.14.10.el6uek.x86_64

4.1.12-94.7.8.el7uek.x86_64

4.1.12-112.14.5.el7uek.x86_64

4.1.12-112.14.10.el7uek.x86_64

PIM 12.8.1 fix for OEL 6 & OEL 7 has been released on Solutions and Patches page as SO00248.

Ubuntu: 

We have added the following kernel support to PAMSC 14.01 Rollup Patch for Meltdown 

Ubuntu 16:

4.4.0-109-generic
Ubuntu 17
4.10.0-42-generic

Full Install Packages: 

We have created full rollup install patches for 12.8 SP1 

SO00290 - install_base | SO00277 - RPM

These packages include support for the following kernels: 

RHEL 6.7 EUS, 6.x latest

2.6.32-573.49.3.el6.x86_64 - RHEL 6.7 - EUS

2.6.32-573.51.1.el6.x86_64 - RHEL 6.7 - EUS (same module)

2.6.32-696.18.7.el6.x86_64 - RHEL 6.x - latest

RHEL 7.2, 7.3 EUS/AUS, 7.x latest

3.10.0-327.62.4.el7.x86_64 - RHEL 7.2 - AUS

3.10.0-514.36.5.el7.x86_64 - RHEL 7.3 - EUS

3.10.0-693.11.6.el7.x86_64 - RHEL 7.4 - latest

OEL 6.x, 7.x UEKr4 - latest

4.1.12-94.7.8.el6uek.x86_64

4.1.12-112.14.5.el6uek.x86_64

4.1.12-112.14.10.el6uek.x86_64

4.1.12-94.7.8.el7uek.x86_64

4.1.12-112.14.5.el7uek.x86_64

4.1.12-112.14.10.el7uek.x86_64

SLES 12.2, 12.3

4.4.103-92.56-default - SLES 12.2 - latest

4.4.103-6.38-default - SLES 12.3 - latest

IBM AIX

We have tested IBM's AIX 7.1 patch without any problems with our SEOS_syscall module. 

# oslevel -s
7100-03-05-1524

Please follow this thread as it will be updated when patches are published. 

Thank you, 

Aaron Armagost
Manager, Software Engineering (CA)