Closed johanburati closed 2 years ago
I've deployed an Ubuntu VM and it also installs OMI version 1.6.8.0 by default:
# grep PRETTY /etc/os-release
PRETTY_NAME="Ubuntu 20.04.3 LTS"
# /opt/omi/bin/omiagent --version
/opt/omi/bin/omiagent: OMI-1.6.8-0 - Wed Jan 13 18:36:50 PST 2021
Same on SLES, it installs OMI version 1.6.8-0 by default:
# grep PRETTY /etc/os-release
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP3"
# /opt/omi/bin/omiagent --version
/opt/omi/bin/omiagent: OMI-1.6.8-0 - Wed Jan 13 18:36:50 PST 2021
For info, to install OMI version 1.6.8-1, you will need to grab the package for your distro on the releases pages and install it manually. I hope it helps.
Can anybody tell us when this version will be installed by default by the extension ?
@johanburati we have uploaded the packages to MS Repo, you can update it from MS Repo: https://docs.microsoft.com/en-us/windows-server/administration/Linux-Package-Repository-for-Microsoft-Software. Run sudo yum upgrade omi
or sudo apt-get upgrade omi
or sudo zypper update omi
.
For the Azure extension, I don't know who manage it.
I think the point of this is, why do we keep deploying older versions of omi/oms agent and so on on new deployments and we can't keep those up to date? I had this question sent almost a year ago with no responses at all ... https://github.com/Azure/azure-linux-extensions/issues/1210
Yes, it's with the extensions team, but still, this is not acceptable.
Looks like the APT configs are not pointing to the the abovementioned "MS Repo".
So apt-get upgrade omi
still installs the old one...
The service is stopped after updating, would recommend restarting it after updating: sudo systemctl start omid
Thank you @johanburati and @nsao-genetec for bringing this to our attention. (Also thank you @mbsnl for cross-referencing the issues.)
Yes, the extension seems to be pulling an older omi
package. It looks like it specifically fetches a pinned release. You should see it in the template and can inspect it in your local VM (/var/lib/waagent/<extension folder>/packages/omsagent*sh
or similar). It then installs with dpkg
, you should be able to confirm that by running apt show omi
and inspecting the APT-Manual-Installed
flag.
As described by @JumpingYang001, it is possible to setup the packages.microsoft.com
repository where the updated omi
is available. An apt upgrade
should pull that, but if @nsao-genetec is seeing problems with that please let us know which distro/release you're in and how your repo is setup in your sources.list
.
@nsao-genetec : Which distro/release are you in? I can get that check. We had tested almost all Linux, OMI is being upgraded to 1.6.8-1. Most likly some repo setup issue on machine. anyhow share the details, i can get that checked.
For those people, that do not get the update. Please add the Microsoft repo into your VM repo list.
Below is the link for your reference. https://docs.microsoft.com/en-us/windows-server/administration/Linux-Package-Repository-for-Microsoft-Software
After you add the Microsoft repo, remember to perform sudo apt-get update and sudo apt-get upgrade. It will automatic detect that there is a update for OMI and SCX.
How is this vulnerability impacting PaaS services in Azure (App Service, Azure Kubernetes Service, ...) with underlying linux VM's? Does the OMI vulnerability affect those services as well? Because we don't have access to perform the patch on those VM's, since Microsoft controls that infrastructure.
If you are running into SSL errors during upgrade via the MS repo (described here), download and install the packages provided by the release page.
F.e. the ubuntu package delivered via MS repo was forcing SSL version 1.0.x
, but systems where running SSL version 1.1.x
:
Expecting SSL version (compatible with): 1.0.0
SSL version found on system: 1.1.x
Incorrect version of OMI for your system, please check SSL version.
@flannoo official impact document: https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/
Wiz’s research team reported that the issue was solved in OMI version 1.6.8.1 in their article on their website.
However I just deployed a VM and the OmsAgentForLinux extension installed OMI version 1.6.8.0:
OMI version 1.6.8-0 is the only version I could see in the repo, could you please confirm if this version is vulnerable or not ?