Thursday, January 4, 2018

Spectre and Meltdown: Privileged memory read vulnerability in several CPUs (Reading privileged memory with a side-channel)


If you are looking for the " MDS attacks against Intel CPUs and Zombieload vulnerability", please go to the link below for the latest updates and instructions on how to update your operating system immediately.

https://blog.bitnami.com/2019/05/mds-attacks-against-intel-cpus-and.html

_________________________________________________________________________________

Updates
[2018-02-08]
Summary:

Last year Google's Project Zero discovered three vulnerabilities affecting many modern processors. At this point most of the operating systems have released fixed kernels addressing these issues.

Debian considers CVE-2017-5715 and CVE-2017-5753 of medium severity and there is no estimated date for the kernel fixes release.

In order to completely address these issues processor or hypervisor updates might be required. If you have any questions about fully mitigating these issues in your servers, you should contact your cloud provider.

[2018-01-26]

[2018-01-23]
  • Bitnami is in the process of releasing the cloud images based on these platforms to include the patched kernels.
  • Spectre (CVE-2017-5715, CVE-2017-5753) fixes for kernel versions 4.4.x and 3.13.x have been released for Ubuntu 16.04 and Ubuntu 14.04.
[2018-01-12]
[2018-01-10]

[2018-01-08]
[2018-01-06]
  • Oracle Linux 7 patched kernel is now available. Bitnami continue working on releasing new images based on this OS. 
  • Bitnami has now released most of the images with the new kernel available in the Open Telekom Cloud Launchpad (95% done).

[2018-01-05]

  • Patched kernels have been released for Amazon Linux, CentOS and RedHat.
  • Bitnami is in the process of releasing new virtual machines and cloud images based on these platforms to include the patched kernels.
  • Please perform the security test to know if your servers have been affected. For steps on how to do so, you can follow our guide here: https://docs.bitnami.com/general/security/.

Description


On January, 4th 2018 three vulnerabilities affecting many modern processors were publicly disclosed:

  • Spectre (CVE-2017-5753, CVE-2017-5715)
  • Meltdown (CVE-2017-5754)

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data, which is currently available on the computer’s memory. While programs are typically not permitted to read data from other programs, a malicious program could exploit Meltdown and Spectre to get hold of the secrets stored in the memory of other running programs. This might include: passwords stored in a password manager or browser, personal photos, emails, instant messages, and even business-critical documents.

Meltdown and Spectre affect the following platforms and devices:
  • Personal computers
  • Mobile devices
  • Cloud instances: Depending on the cloud provider's infrastructure, it might even be possible to steal data from other customers.
At this time, there are patches against Meltdown for Linux, Windows and OSX. This is translated into patched kernels, patched hypervisors, and new versions of operating systems. Note that the kernel fixes for this CPU bug will have a performance impact, estimated by some sources to be from 5% to around 30%, depending on workloads.

At the moment, there is work being done to harden software against future exploitation of Spectre.

----

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami. Our team is working on updating all affected Virtual Machines and Cloud Images available through Bitnami, for all of our cloud provider partners. This will ensure that all new launches will be secured against these issues. If you have an existing running server (virtual machines) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own.

Once a new, patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution/operating system):
  • Ubuntu / Debian
sudo apt-get update && sudo apt-get dist-upgrade 
  • Oracle Linux, Red Hat, CentOS and Amazon Linux
sudo yum update 
  • Windows / OSX
    Update your system packages when the operating system suggests to. Enable "Check for updates" in Windows in order to get the latest updates and patches.

Once you have completed the steps above, you will have the fixed version of the kernel/operating system after rebooting your server.

If you have any questions about this process, please post to our community support forum and we will be happy to help!

For Frequently Asked Questions regarding these vulnerabilities, please take a look at the official webpage:
https://meltdownattack.com/#faq

More information can be found at the following links: