Ksplice: Eliminate disruptive reboots by updating your system with Ksplice

  

Available to Oracle Linux customers with Oracle Linux Premier Support, Oracle Ksplice updates select, critical components of your Oracle Linux installation with all of the important security patches without needing to reboot.

With rebootless updates, you can:

• Save time and pain by updating in seconds, while your systems are running.
• Avoid downtime.
• Prevent disastrous security incidents by making it easy to stay up to date.

Linux distributions require a reboot about once a month to stay up to date with important kernel and user-space security updates. Oracle Ksplice allows you to apply the same updates, without rebooting that would normally require an update with your package manager and a reboot.

Oracle Linux is the only Linux distribution to offer zero-downtime updates for select, critical user-space components. With Oracle Linux 6, 7, 8 and 9, Ksplice can patch glibc and openssl vulnerabilities whilst the system is running, without stopping applications and without interruption. This feature is exclusive to Oracle Linux Premier Support customers.

What gets patched?

Not all patches are created equal. Ksplice patches run-time security vulnerabilities and stability bugs. Whether it's the latest CVE targeting the network stack, an overflow in the DNS resolver, or a kernel panic caused by a poorly written driver, Ksplice will quickly provide protection to your system, without rebooting or restarting applications.

Ksplice supports the latest kernels from Oracle, including the Unbreakable Enterprise Kernel and the Red Hat Compatible Kernel, as well as kernels from Ubuntu and CentOS. See the Ksplice User's Guide for the up-to-date list of all kernels Ksplice supports.

Ksplice supports glibc and openssl for all Oracle Linux versions that are covered by Oracle Linux Premier Support.

 

 

 

 

(root) # ksplice -y all upgrade

The following steps will be taken:

Install [8v0l3voi]: CVE-2016-0702: RSA key disclosure on Sandy Bridge CPU's (CacheBleed).

Install [qn7jy7c6]: CVE-2015-7547: Remote code execution in glibc DNS resolver.

Done!

The following steps will be taken:

Install [b4ppb8m2] Race condition with outstanding tx counter in IP-over-InfiniBand.

Install [280qdpcz] CVE-2016-3157: Xen I/O port access privilege escalation in x86-64.

Installing [b4ppb8m2] Race condition with outstanding tx counter in IP-over-InfiniBand.

Installing [280qdpcz] CVE-2016-3157: Xen I/O port access privilege escalation in x86-64.

Your kernel is fully up to date.

Effective kernel version is 4.1.12-32.2.3.el6uek

 

 

(root) # ksplice all show

Ksplice user-space updates installed:

rsyslogd (2318)

sshd (2697):

- [qn7jy7c6]: CVE-2015-7547: Remote code execution in glibc DNS resolver.

certmonger (3007):

- [qn7jy7c6]: CVE-2015-7547: Remote code execution in glibc DNS resolver.

- [8v0l3voi]: CVE-2016-0702: RSA key disclosure on Sandy Bridge CPU's (CacheBleed).

Ksplice kernel updates installed:

Installed updates:

[b4ppb8m2] Race condition with outstanding tx counter in IP-over-InfiniBand.

[280qdpcz] CVE-2016-3157: Xen I/O port access privilege escalation in x86-64.

Effective kernel version is 4.1.12-32.2.3.el6uek

(root) #

 

 

 

More details of uptrack and ksplice

https://oracle-samples.github.io/oltrain/posts/ol/ksplice/post-3/