Monday, August 6, 2018

SegmentSmack: Linux Kernel TCP Vulnerability

[UPDATE 2018-08-08]

The Bitnami Team is happy to announce that the Bitnami Launchpad images for AWS, Azure, Google and Oracle (Debian) were updated with the security fix. We also updated the AWS Community and the Bitnami Cloud Hosting Debian images. We continue tracking the packages of the rest of the platforms to publish them as soon as possible.

If you are using a Bitnami Virtual Machine, we also updated those images using the new packages.

[UPDATE 2018-08-07]

Updated information of the affected kernels and methods to patch the images

----

A new security vulnerability in the Linux Kernel known as SegmentSmack (CVE-2018-5390) was publicly disclosed today. It allows attackers to trigger the most resource-intensive code paths for TCP stream reassembly with low rates of specially crafted packets, leading to a remote denial of service. 

The affected versions of the Linux kernel are versions 4.9+ and maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. For that reason, our team is working to update all of the affected images available through Bitnami as quickly as possible.

If you have any existing running server (virtual machines) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own. Once a new, patched kernel is available from the operating system vendor, you can update it by following the instructions below


Affected Platforms 



To check if your system is not vulnerable, execute the command below:

    uname -a

The output you obtain after running the above command indicates the version of the kernel package you currently have installed and running on your system. Only versions 4.9+ of the Linux kernel are vulnerable, find in the list below which are the kernel versions you should have to make sure that your system is not vulnerable:

Debian 8 (Jessie)
Debian Jessie kernel should be equal or greater than 3.16.57-2.

Debian 9 (Stretch)
Debian Stretch kernel should be equal or greater than 4.9.110-3+deb9u1.

Ubuntu 16.04 in Azure
Ubuntu 16.04 kernel version in Azure should be equal or greater than 4.15.0-1019-azure.

Oracle Enterprise Linux
This distribution is not affected.

Other distributions: RHEL, CentOS, Ubuntu 16.04 in AWS, ...
There is not any new package for these Linux distributions at the moment of writing this.

How To Patch It 


Debian / Ubuntu

    sudo apt-get update && sudo apt-get dist-upgrade

Oracle Enterprise Linux

This distribution is not affected.

Other distributions: RHEL, CentOS, Ubuntu 16.04 in AWS, ...

There is not any new package for these Linux distributions. (Keep checking back for updates!)

Reboot your server/operating system after running the commands.

Once you have completed the steps above, you will have the fixed version of the kernel/operating system running on your server. If you have any question about this process, please post it in our community support forum. We will be happy to help!