Wednesday, May 23, 2018

Kernel Side-Channel Attack using Speculative Store Bypass

[2018-09-17]

Updated information with the commands to update the Debian packages

[2018-05-25]

Bitnami has now released all the Ubuntu, Red Hat, CentOS and Oracle Linux based images with the new kernel available. Updates are being propagated to the Bitnami Launchpads and the different Cloud Platforms.

----

Description

A new CPU security vulnerability has been found. This, it is similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled as “Speculative Store Bypass” or “Variant 4”, the latest vulnerability exploits the speculative execution that modern CPUs use.

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal the data available on the computer’s memory. They were publicly disclosed on January, 4th 2018.

This new vulnerability affects modern out-of-order execution processor cores from Intel, AMD, and ARM. This means that mobile devices are also affected. It can be potentially exploited by script files running within a program to lift sensitive information out of other parts of the application. Intel describes it as:

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working on updating the affected Virtual Machines and Cloud Images available through Bitnami, for all of our cloud provider partners. This will ensure that all new launches will be secured against these issues. If you have an existing running server (virtual machines) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own.

Once a new, patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution/operating system):

  • Ubuntu

       sudo apt-get update && sudo apt-get dist-upgrade

  • Debian

       sudo apt-get update && sudo apt-get dist-upgrade

  • Oracle Linux, Red Hat, CentOS and Amazon Linux

       sudo yum update

  • Windows / OSX
   Update your system packages when the operating system suggests  
   to. Enable "Check for updates" in Windows in order to get the 
   latest updates and patches.

Once you have completed the steps above, you will have the fixed version of the kernel/operating system after rebooting your server.

If you have any questions about this process, please post to our community support forum and we will be happy to help!