# alinux-security Part of **ALINUX** # Alibaba Cloud Linux Security and Compliance Troubleshooting Guide ## Problem Index | Problem | Symptom | Severity | Solution Summary | |--------|--------|----------|------------------| | CVE-2021-22555 Vulnerability | `Kernel panic - not syncing: Fatal exception` due to heap out-of-bounds write | High | Upgrade kernel or install kernel-hotfix-5928799 | | CVE-2021-33909 Vulnerability | `BUG: unable to handle kernel paging request...` or `Kernel panic - not syncing: Fatal exception` | High | Install kernel-hotfix-5956925 based on OS version | | Non-critical Integrity Log Message | `integrity: Unable to open file` in kernel logs | Low | Confirm system is unaffected; no action required | | MLPS 2.0 Level 3 Baseline Check Failure | Error code `403` during compliance check | Medium | Ensure Cloud Security Center is Enterprise Edition | ## Problem Details ### Problem 1: CVE-2021-22555 Vulnerability **Symptoms** - Error message: `Kernel panic - not syncing: Fatal exception` - Behavior: System crashes unexpectedly, especially under memory-intensive workloads or in virtualized environments - Context: Occurs on Alibaba Cloud Linux 2 systems with vulnerable kernel versions **Root Cause** - A heap-based buffer overflow in the Netfilter subsystem allows local attackers to escalate privileges or cause denial of service via crafted netlink messages. - This vulnerability can lead to virtual machine escape in containerized or virtualized environments. **Solution** 1. Update the kernel using YUM: ```bash sudo yum update kernel ``` 2. Reboot the instance to apply the new kernel: ```bash sudo reboot ``` **OR**, if immediate reboot is not feasible, install the hotfix without reboot: ```bash sudo yum install -y kernel-hotfix-5928799-`uname -r | awk -F"-" '{print $NF}'` ``` **Verification** - After reboot or hotfix installation, verify the kernel version: ```bash uname -r ``` - Confirm no recurrence of kernel panic under normal operation. - For hotfix: ensure the package is installed: ```bash rpm -q kernel-hotfix-5928799 ``` ### Problem 2: CVE-2021-33909 Vulnerability **Symptoms** - Error message: `BUG: unable to handle kernel paging request at ffffb807c2f1aff6` - Error message: `Kernel panic - not syncing: Fatal exception` - Behavior: System crash or container escape in multi-tenant environments - Context: Affects Alibaba Cloud Linux 2 and 3 with specific kernel versions **Root Cause** - The `seq_buf_alloc()` function uses a `size_t` parameter that is truncated to `int` in another kernel function, causing integer truncation on 64-bit systems. This leads to heap corruption and potential arbitrary code execution. **Solution** 1. Check your current kernel version: ```bash uname -r ``` 2. For **Alibaba Cloud Linux 2** with kernel versions between `4.19.91-19.1.al7.x86_64` and `4.19.91-24.al7.x86_64`, install the hotfix: ```bash sudo yum install -y kernel-hotfix-5956925-`uname -r | awk -F"-" '{print $NF}'` ``` 3. For **Alibaba Cloud Linux 3**, first attempt a full kernel upgrade. If the issue persists, apply the same hotfix command as above. **Verification** - Confirm hotfix installation: ```bash rpm -q kernel-hotfix-5956925 ``` - Monitor system stability and ensure no kernel panics occur during stress testing or normal operation. ### Problem 3: Non-critical Integrity Log Message **Symptoms** - Error message: `integrity: Unable to open file` - Behavior: Appears in `dmesg` or `/var/log/messages` but system operates normally - Context: Common on Alibaba Cloud Linux 2 ECS instances without TPM hardware **Root Cause** - The kernel is compiled with `CONFIG_IMA_LOAD_X509` and `CONFIG_EVM_LOAD_X509`, which attempt to load X.509 certificates for integrity measurement. - However, the expected certificate files do not exist on standard cloud instances (which lack physical TPM devices), resulting in harmless log warnings. **Solution** - No action is required. This message is informational and does not impact system security or functionality. - If log noise is undesirable, suppress IMA/EVM initialization by adding kernel boot parameters (not recommended unless necessary): ```text ima_appraise=off evm=off ``` (This requires modifying GRUB config and rebooting.) **Verification** - Check system health: ```bash dmesg | grep integrity uname -r ls /dev/tpm* ``` - Expected: The error appears, but `/dev/tpm*` devices are absent, confirming no TPM hardware. System remains stable. ### Problem 4: MLPS 2.0 Level 3 Baseline Check Failure **Symptoms** - Error code: `403` - Behavior: Baseline compliance checks fail in Cloud Security Center - Context: Attempting to validate an Alibaba Cloud Linux "MLPS 2.0 Level 3" image **Root Cause** - The baseline check feature for regulatory compliance (e.g., China’s MLPS 2.0) is only available in **Cloud Security Center Enterprise Edition**. - Using a lower edition results in permission-denied (`403`) errors during compliance scanning. **Solution** 1. Upgrade Cloud Security Center to **Enterprise Edition** via the Alibaba Cloud Console. 2. Ensure the ECS instance uses an official "Alibaba Cloud Linux 2/3 MLPS 2.0 Level 3" image. 3. Run the baseline check again after the upgrade. **Verification** - In Cloud Security Center console, navigate to **Compliance Center > Baseline Check**. - Initiate a new check — it should proceed without `403` errors. - Review results to confirm alignment with MLPS 2.0 Level 3 requirements (e.g., password policies, SSH key enforcement, Kdump disabled). ## FAQ **Q: How do I check if my system is affected by CVE-2021-22555 or CVE-2021-33909?** A: Run `uname -r` to get your kernel version. Compare against the vulnerable ranges documented for each CVE. For CVE-2021-22555, all Alibaba Cloud Linux 2 kernels prior to the patched version are affected. For CVE-2021-33909, check if your version falls within the specified range (e.g., 4.19.91-19.1.al7 to 4.19.91-24.al7 for AL2). **Q: Do I need to reboot after installing a kernel hotfix?** A: No. Kernel hotfixes (e.g., `kernel-hotfix-5928799`) are applied live using kpatch and do not require a reboot. However, a full `yum update kernel` requires a reboot to activate the new kernel. **Q: Is the "integrity: Unable to open file" message a security risk?** A: No. This message occurs because the kernel expects certificate files for IMA/EVM that are not present in standard cloud environments. It does not indicate a breach or misconfiguration and can be safely ignored. **Q: What are the key differences in Alibaba Cloud Linux MLPS 2.0 Level 3 images?** A: These images enforce stricter security baselines: root login via password is disabled (SSH key-only), password expiration policies are active, unnecessary services (like Kdump) are disabled, and system hardening aligns with Chinese regulatory standards. **Q: How can I verify that a security patch was applied successfully?** A: Use `rpm -q ` to confirm hotfix installation. For kernel updates, verify the running kernel with `uname -r` matches the updated version. Additionally, monitor logs (`/var/log/yum.log`, `dmesg`) for post-patch stability.