As you have probably seen in the media lately, the importance of updating systems is more visible than ever. We are seeing numerous critical vulnerabilities that can lead to a compromised system or to a system user escalating privileges, i.e. behaving as an administrator without having to be one, being able to read and modify files to which he/she should not have access or even remotely execute code on our machine.
Latest media vulnerabilities
The most talked-about are the following:
- Apache log4j vulnerability, allows remote code execution (https://www.incibe.es/protege-tu-empresa/avisos-seguridad/vulnerabilidad-critica-apache-log4j )
- Linux Dirty Pipe vulnerability, which allows overwriting files even if they are read-only. (https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/dirty-pipe-vulnerabilidad-escalada-privilegios-el-kernel-linux ).
- Windows Vulnerability CVE-2022-21882 ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882 )
How to perform the upgrade process
It must be taken into account that from the moment a vulnerability or bug is found in the system there is a development time for the patch. Linux takes an average of 25 days to release patches, Apple 70 days and Microsoft 80 days.
This also applies to applications, not just systems. For example WordPress and its plugins release updates frequently.
You are probably wondering what happens with containers. Well normally if there is a good community behind an image for an application, new updated images will be released with which practically stopping the container and raising another one with the new image we will already have updated the application. In other cases it is likely that a series of steps will have to be followed to perform a complementary update of data in the databases, etc.
If we have images created by us, whenever it is possible and the applications have compatibility with new systems, we will have to update the image in order not to be left behind and to correct errors in the image layers that compose our final image.
Another important point is the firmware update of the infrastructure hardware components.
Finally, the update frequency. It is important to update the system or application frequently (whenever possible) this should be assessed on a case-by-case basis. One way to do this is to schedule updates on a weekly or monthly basis. Before upgrading, the changes that will be applied should be reviewed and it should be verified that the system, application or container can work with these changes.
Before upgrading anything (applications, containers or system) make a backup of the data before upgrading.
The backup may vary depending on the use of the system or application but I like to do it this way:
- Operating System: Complete backup of the system disk. There are paid tools for this, it can also be done by running a dd from the system disk to a file. With this we will be able to restore the complete system in case of having problems saving us reinstalling it.
- Applications: Backup of files and database. Depending on the criticality of the application I would make an integral backup of the system.
- Containers: In this case it is important to use volumes to persist the data. I would backup these volumes to avoid modification of the data during image upgrade/replacement.