Operating System beyond its "end-of-life" (EOL) date

Follow

Background

A computer operating system (OS) needs to be patched regularly to keep it secure against vulnerabilities.  Patches are typically provided by the OS vendor, and are typically applied using a standard utility such as "apt" or "yum" or "dnf". Unfortunately, OS vendors do not have the resources to provide security patches for old OS versions for ever.  Instead, a vendor will typically announce an official "end of life" (or EOL) date after which they will stop providing patches.  The end of life schedule varies depending on the OS version. In some cases, it will be 5 years or more, and in others it may be as little as 1 year.

Risks

If your are running a NeCTAR virtual machine whose OS is beyond its official end-of-life date, then security patches will no longer be available through the normal channels. If a new critical vulnerability is discovered for either the OS itself or software installed via the OSes "package" mechanisms, then applying patches will not be sufficient to protect your instance ... if it is actually vulnerable.

Remedies

The possible remedies are (in order of effectiveness):

  1. Terminate your instance and create a new one starting from a new base image whose OS is not past EOL. It is advisable to select an OS / version whose EOL is far enough into the future that you won't be forced to repeat this exercise frequently.  (Check the "end of life" schedules published by the OS vendor.)
  2. Most versions of Linux provide a way to do an "in place" upgrade to a newer release of the operating system.  Check the vendor's support documentation for details. There are some caveats:
    • There is a potential that the upgrade procedure will fail, leaving you with a broken (and possibly non-recoverable) instance.  Take appropriate backups before you start,
    • If you used a 3rd-party image, then the OS upgrade could break other software and that is part of the image.
  3. If you are using a 3rd-party image, ask the supplier about upgrade paths.
  4. Lock down the instance via the Security Groups so that it is only accessible from trusted IP addresses. This won't work if you need the instance to be publicly accessible for some reason.

 

Have more questions? Submit a request

Comments

Powered by Zendesk