Friday, August 12, 2016

Security Notification: Off-Path TCP Linux Kernel Vulnerability (CVE-2016-5696)

[UPDATE: 2016-08-22]

BCH images have been updated properly. You can now launch new servers that mitigate the vulnerability.

[UPDATE: 2016-08-18]

All the affected cloud images and virtual machines have been successfully patched.

If you are using a Bitnami Cloud Hosting instance, you can easily patch it following the guide below while we upgrade the base images. 

[UPDATE: 2016-08-17]

The Bitnami Team is happy to announce that the images of Google, Azure, 1&1 and GoDaddy have been updated properly. Additionally, we continue working on releasing the images for our all of our cloud platform partners, virtual machines and the native installers.

----

A new security vulnerability in the linux kernel has been discovered. You can find out more information about it in the following research report: "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous".

Since the Linux kernel code affected was implemented in 2012 (in Linux Kernel 3.6), all Bitnami-packaged images might be affected by this issue if the kernel hasn't been updated. At the time of writing this post, a new patched kernel has NOT been released for Debian and Ubuntu distributions that are the base OS for most of the Bitnami Virtual Machines. We will keep you updated in this blog post.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami and our team is working to update all of the affected Virtual Machines and Cloud Images available through Bitnami for all Cloud Providers. 

In the meantime, you can mitigate this problem by applying the following patch in your system:
sysctl net.ipv4.tcp_challenge_ack_limit=1073741823; grep -q tcp_challenge_ack_limit /etc/sysctl.conf || echo "net.ipv4.tcp_challenge_ack_limit=1073741823" >> /etc/sysctl.conf
Please, note that this is just a temporary solution that makes it a lot harder for attackers to succeed in exploiting this vulnerability. You can find more information about this temporary fix in a writeup on the Akamai blog.

Once the new kernel is available, you can update it by running the following commands (you must run the command specific to your distribution):


  • Ubuntu 
sudo apt-get update && sudo apt-get dist-upgrade 
You will have the fixed version of the kernel after rebooting your server.

  • Debian 
sudo apt-get update && sudo apt-get dist-upgrade 
You will have the fixed version of the kernel after rebooting your server.

  • Oracle Linux 
sudo yum update
sudo yum upgrade
You will have the fixed version of the kernel after rebooting your server.


  • Amazon Linux & RedHat Linux
sudo yum clean all
sudo yum update kernel
You will have the fixed version of the kernel after rebooting your server. 


If you have any questions about this process, please post to our community support forum and we will be happy to help!