We are pleased to release TrueNAS 13.0-U6.3 and 13.3-U1!
This is a maintenance release to address a few security concerns:
Resolve a vulnerability involving python deserialization (CVE-2020-22083).
Address a security vulnerability with the jails system (iocage).
The updates to 13.0-U6.3 and 13.3-U1 include important security updates, which are recommended for all users of CORE and Enterprise running 13.x or older software versions. TrueNAS SCALE & SCALE Enterprise systems are not impacted.
In addition to the fixes included, some additional vulnerabilities have been identified related to iocage (A FreeBSD jail manager), which is the infrastructure component that operates both the Jails and the Plugins system on CORE. This update includes a mitigation that ensures any systems not running jails or plugins will be safe from the iocage vulnerability impact.
Because these vulnerabilities are architectural in nature and the iocage application has not been under active development for many years, it is unlikely to receive fixes related to these vulnerabilities. Systems running Jails or Plugins will still be exposed to the iocage vulnerabilities.
Users who run 3rd party applications on TrueNAS are highly encouraged to upgrade to SCALE, which is actively supported and not impacted by any known vulnerabilities at this time. As always, users are encouraged to follow security best-practices to minimize the risk to your system and important data.
TrueNAS Enterprise 13.x users should schedule an update with TrueNAS support.
Can’t scrubs that are too frequent damage the disks in some way?
At the time i opened the ticket, if it wasn’t for the multi alert script, i would never have noticed that my pools (not only the boot pool!!) being scrubbed every day…
I looked for more details on this (both the mitigation and issue) and did not see anything obvious at first glance. Does anyone have links that they can share?
That was what held up this release for a few extra days while we sorted out what could be done. At the end of the day the iocage tool that jails/plugins is based on has been defunct for years now, and some of the vulnerabilities couldn’t be simply patched, they are architectural in nature. We fixed a handful of the low-hanging ones and mitigated the overall risk by enabling a killswitch, so that if jails/plugins are not actively running, the iocage command won’t be executed and thus avoid the dangerous code. But folks need to take that into consideration when running anything still using jails/plugins in their environments.
Yea, we took a brief look at the forked version during the security review here. It still has all the same fundamental vulnerabilities present, no path for us to pull from to address things there.
Just realized we didn’t include in the release notes the wording about there still being vulnerabilities with using jails/plugins. That will be fixed shortly.
Iocage has a vulnerability where it downloads and extracts updates in an insecure fashion. The TrueNAS could be vulnerable if the local gateway or upstream connection can be captured in a MiTM-style attack and be used to substitute the update with files from the attacker.
?
That will be fixed shortly.