| Urgent: GhostLock (CVE-2026-43499) on OpenVZ 7 Where is the patch for WebPros / SolusVM users? [message #53891] |
Fri, 10 July 2026 11:21  |
viadck
Messages: 4 Registered: January 2018
|
Junior Member |
|
|
Hello everyone,
The current situation regarding the GhostLock root exploit (CVE-2026-43499) has reached a critical bottleneck for hosting providers running production workloads on OpenVZ 7.
According to official ecosystem roadmaps, OpenVZ 7 is supposed to remain supported. Yet, we are currently facing a severe, host-breaking local privilege escalation vulnerability with no clear path to mitigation or patching for open-source OpenVZ users.
The Corporate & Licensing Trap
Let's look at the reality of the WebPros ecosystem:
1. Virtuozzo maintains OpenVZ.
2. WebPros owns Virtuozzo, as well as SolusVM, which is actively licensed as management software for KVM and OpenVZ VPS nodes.
3. Due to internal corporate partnerships, third-party tools like KernelCare do not support OpenVZ 7, pointing users directly to Virtuozzo's native ReadyKernel instead.
This has created an absolute trap. My production host nodes are fully up to date on disk, running the latest stable release: 3.10.0-1160.119.1.vz7.224.4. However, running readykernel info yields Loaded patches: 0. Why? Because WebPros/Virtuozzo gatekeeps the live patch repository behind licensing channels that SolusVM/OpenVZ customers are not even given an option to purchase or order in their portals.
SolusVM support is currently deflecting tickets by stating that OpenVZ 7 security coverage is uncertain and that it's a "vendor issue." WebPros is the vendor for both sides of this equation. You cannot license orchestration software for a virtualization tier, block third-party security vendors, and then completely abandon the community when a major exploit hits.
If anyone from Virtuozzo or WebPros engineering is monitoring this forum, we need an official kernel update pushed to the public repositories immediately, or the ReadyKernel patch channels opened up for this critical CVE.
Leaving paying ecosystem customers stranded with an active root exploit because of broken licensing workflows is unacceptable.
Kind regards!
|
|
|
|
|
|
|
|
| Re: Urgent: GhostLock (CVE-2026-43499) on OpenVZ 7 Where is the patch for WebPros / SolusVM users? [message #53894 is a reply to message #53893] |
Sun, 12 July 2026 11:44  |
dmc_dtc
Messages: 18 Registered: May 2014 Location: Serbia
|
Junior Member |
|
|
Yeah, yesterday i had same problem, you are left with error 403 when you try to click on attachments, but if you go to URL of attached file in browser and click enter in the address bar after url of attachment - the download start - In any case i've created github page so anyone can try
https://github.com/dmcdtc/openvz-cve-patch-2026
I am planning to make .rpms of kernel made form .src.rpm official one, i made one for CentOS7 yesterday and it seems to work, just the source of my OpenVZ kernel will probably be 119 version (src.rpm) and i will add this patch so i can get binary kernel files. Again, i will wait few days for official patch before i do this kind of work, in the meantime you can use this patch for some important server.
EDIT: ive posted kernel.spec patch and binary kernel releases build with that spec.. so basically you just need to rpm -i vzkernel-3.10.0-1160.119.1.vz7.224.4.custom.x86_64.rpm - just for security reasons it is probably safer to build it your self with my patch and spec to be sure no other files were modified..
>> dmc / dtc <<
[Updated on: Sun, 12 July 2026 15:51] Report message to a moderator
|
|
|
|