Wednesday, May 15, 2019

MDS attacks against Intel CPUs and Zombieload vulnerability

Latest updates

[UPDATE 2019-05-19]

- Bitnami has now released all the images with the new kernel available for Debian, Ubuntu and Oracle Linux in the Bitnami Launchpad for Oracle Cloud and the Oracle Cloud Marketplace.

[UPDATE 2019-05-17]

- Bitnami has now submitted all the VMware affected images with the new kernel. Updates are being propagated to the VMware Marketplace

[UPDATE 2019-05-16]

- Bitnami has now released all the images with the new kernel available for Debian 9 in the Bitnami Launchpad for AWS Cloud. Updates with the new kernel available for Ubuntu 16.04 are being propagated to the AWS Marketplace.

- Bitnami has now released all the images with the new kernel available for Ubuntu 16.04 in the Bitnami Launchpad for Microsoft Azure. Updates are also being propagated to the Azure Marketplace.

- Bitnami has now released all the images with the new kernel available for Debian 9 in Bitnami Launchpad for Google Cloud Platform. Updates are being propagated to the Google Marketplace.

- Bitnami has now released all the virtual machines (OVA and VMDK format) with the new kernel available for Debian 9. They are available at bitnami.com.

- If you are running a native installer on a bare metal server, you should update the kernel in your host as well as install the Intel microcode firmware. This package is available in the “contrib” and “non-free” repositories that you should previously enable in your distro.

----

On May the 14th, security researchers have disclosed a new attack impacting the speculative execution process. This is named as Microarchitectural Data Sampling (MDS) attacks and with Zombieload Vulnerabilities being considered the most dangerous of them. 

Similar to the previous Meltdown and Spectre attacks, it can effectively break all privacy protections that exist between apps. An attacker could allow data in the CPU’s cache to be exposed to unauthorized processes. It could use these flaws to read memory from a virtual or containerized instance or the underlying host system.

Bitnami team is working on updating all affected Virtual Machines and Cloud Images available through Bitnami, for all of our cloud provider partners. This will ensure that all new launches will be secured against these issues.

If you already have a running server (virtual machine) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own.

Once a new, patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution / operating system):

- Ubuntu / Debian
sudo apt-get update && sudo apt-get dist-upgrade 
- Oracle Linux, Red Hat, CentOS, and Amazon Linux
sudo yum update 
- Windows / OSX
Update your system packages when the operating system suggests to. Enable the "Check for updates" option in Windows in order to get the latest updates and patches.

Once you have completed the steps above, you will get the fixed version of the kernel / operating system after rebooting your server. The versions that fix these vulnerabilities are the following:

- Ubuntu 16.04: 4.4.0-148-generic
- Ubuntu 16.04 for Azure: 4.15.0-1045-azure
- Debian 9: 4.9.168-1+deb9u2
- Oracle Linux 7: 4.1.12-124.26.12.el7uek or 4.14.35-1844.4.5.2.el7uek
- Red Hat: 3.10.0-957.12.2.el7
- CentOS: 3.10.0-957.12.2.el7
- Amazon Linux: 4.14.114-83.126.amzn1

If you have any questions about this process, please post to the Bitnami community support forum. We will be happy to help!

For further information about these vulnerabilities, check the frequently asked questions page at the official Zombieloadattack website: https://zombieloadattack.com/#faq