Wednesday, May 23, 2018

Kernel Side-Channel Attack using Speculative Store Bypass

[2018-05-25]

Bitnami has now released all the Ubuntu, Red Hat, CentOS and Oracle Linux based images with the new kernel available. Updates are being propagated to the Bitnami Launchpads and the different Cloud Platforms.

----

Description

A new CPU security vulnerability has been found. This, it is similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled as “Speculative Store Bypass” or “Variant 4”, the latest vulnerability exploits the speculative execution that modern CPUs use.

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal the data available on the computer’s memory. They were publicly disclosed on January, 4th 2018.

This new vulnerability affects modern out-of-order execution processor cores from Intel, AMD, and ARM. This means that mobile devices are also affected. It can be potentially exploited by script files running within a program to lift sensitive information out of other parts of the application. Intel describes it as:

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working on updating the affected Virtual Machines and Cloud Images available through Bitnami, for all of our cloud provider partners. This will ensure that all new launches will be secured against these issues. If you have an existing running server (virtual machines) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own.

Once a new, patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution/operating system):

  • Ubuntu

       sudo apt-get update && sudo apt-get dist-upgrade

  • Debian

       There is not any new kernel's version yet

  • Oracle Linux, Red Hat, CentOS and Amazon Linux

       sudo yum update

  • Windows / OSX
   Update your system packages when the operating system suggests  
   to. Enable "Check for updates" in Windows in order to get the 
   latest updates and patches.

Once you have completed the steps above, you will have the fixed version of the kernel/operating system after rebooting your server.

If you have any questions about this process, please post to our community support forum and we will be happy to help!

Wednesday, May 16, 2018

Security Update: Red Hat Linux DHCP Client

[2018-05-19]

All the affected Cloud Images has been updated.

--------

A new security vulnerability in the DHCP client implementation of Red Hat Linux has been discovered. The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems. This issue affects Red Hat, Oracle Enterprise Linux, and CentOS servers. For further information, check the Red Hat official announcement.

The command injection flaw resides in the NetworkManager integration script included in the DHCP client packages. A malicious DHCP server or an attacker on the local network able to spoof DHCP responses could use this vulnerability to execute arbitrary commands with root privileges on systems. This is possible by configuring the NetworkManager to obtain network configuration using the DHCP protocol. Red Hat has confirmed that this vulnerability impacts both the Red Hat Enterprise Linux 6 and 7. It is strongly recommended to update the dhclient package (as soon as the newer versions will be available) if you are running one of these affected versions.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working to update all of the affected Cloud Images available through Bitnami for all Cloud Providers. We will keep you updated in this blog post.

How to mitigate the issue

In the meantime, you can mitigate this problem by updating the tool using the package manager included in the affected systems (yum).

  sudo yum install dhcp-common

Once updated, you will have one of the following versions:

  • RedHat:           4.2.5-68.el7_5.1
  • CentOS:           4.2.5-68.el7.centos.1
  • Oracle Server:  4.2.5-68.0.1.el7_5.1 

Red Hat warns: "Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers".

How to obtain the installed version of the package

To check the currently installed version on your system:

  sudo yum -q info installed dhcp-common

If you have additional questions about this security issue, post them in our community forum, and we will be happy to help you.

Monday, May 7, 2018

Taking the Bitnami / Microsoft partnership to the next level: Simple cloud migration to support enterprise digital transformation

We at Bitnami are excited to be expanding our partnership with Microsoft. Our existing partnership is built around our application catalog - the more than 120 of open-source applications and development stacks that Bitnami pre-packages, maintains, and publishes to the Azure Marketplace. These have and continue to deliver a truly awesome click-to-deploy experience for Azure customers.

We are now adding Bitnami Stacksmith to our partner solution set for Microsoft Azure customers. Stacksmith makes it easy for enterprise companies to realize their digital transformation, application migration, and datacenter reduction initiatives.

Stacksmith is an easy to use SaaS tool that simplifies the migration of applications from the datacenter to container and cloud platforms. Stacksmith automates the manual tasks required to package, deploy and maintain them. Over recent months, Bitnami’s development team has worked with the Microsoft Azure team to build Azure platform support into Stacksmith. Now Microsoft customers can use Stacksmith and replatform their existing applications from their datacenter to Azure.

This support includes repackaging your application to your choice of output formats / platforms. Stacksmith will deliver a cloud optimized Virtual Machine image with its corresponding Azure Resource Manager (ARM) template for deployment to Azure. Or, for those interested in Kubernetes, Stacksmith can also repackage your application as a container with Helm chart for deployment to AKS.

This is what it looks like:



This integration provides a direct path for enterprise companies to replatform traditional applications to Azure. This not only helps companies get their applications out of the datacenter to Azure, but also makes it possible to utilize additional native Azure platform services, opening up a ton of options and flexibility. Here is what this looks like:



Come find out how the combination of Stacksmith and Azure can help you jumpstart your transition to the cloud. Contact your Microsoft sales rep or visit us at bitnami.com, where you can also try Stacksmith with our 30 day free trial.