2016-08-18 Off-Path TCP Linux Kernel Vulnerability (CVE-2016-5696)
A new security vulnerability in the linux kernel has been discovered. You can find out more information about it in the following research report: “Off-Path TCP Exploits: Global Rate Limit Considered Dangerous”.
Since the Linux kernel code affected was implemented in 2012 (in Linux Kernel 3.6), all Bitnami-packaged images might be affected by this issue if the kernel hasn’t been updated. As of 18 Aug 2016, all the affected cloud images and virtual machines have been successfully patched. If you are using a Bitnami Cloud Hosting instance, you can easily patch it following the guide below while we upgrade the base images.
Apply the following patch to your system:
$ sysctl net.ipv4.tcp_challenge_ack_limit=1073741823; grep -q tcp_challenge_ack_limit /etc/sysctl.conf || echo "net.ipv4.tcp_challenge_ack_limit=1073741823" >> /etc/sysctl.conf
NOTE: This is just a temporary solution that makes it a lot harder for attackers to succeed in exploiting this vulnerability.
- Find more information about this temporary fix on the Akamai blog.
- Find more information about the vulnerability.
Once the new kernel is available, you can update it by running the commands shown below for your platform or distribution.