general

Security Notices

2018-01-04 Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) attack

On January, 4th 2018 three vulnerabilities affecting many modern processors were publicly disclosed:

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data, which is currently available on the computer’s memory. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of the secrets stored in the memory of other running programs. This might include: passwords stored in a password manager or browser, personal photos, emails, instant messages, and even business-critical documents.

Meltdown and Spectre affect the following platforms and devices:

  • Personal computers
  • Mobile devices
  • Cloud instances: Depending on the cloud provider’s infrastructure, it might be even possible to steal data from other customers.

There are patches against Meltdown for Linux, Windows and OSX and some platforms also released patches for Spectre. This is translated into patched kernels, patched hypervisors and new versions of operating systems. Note that the kernel fixes for this CPU bug will have a performance impact, estimated by some sources to be from 5% to around 30%, depending on workloads.

At the moment, more work is being done to harden software against future exploitation of Spectre.

Affected platforms

Linux OS distributions

To check if your system is not vulnerable, execute the command below:

$ uname -r

The output you obtain after running the above command indicates the version of the kernel package you currently have installed and running on your system. Find in the list below which are the kernel versions you should have to make sure that your system is not vulnerable:

CentOS 7

CentOS kernel should be equal or greater than 3.10.0-693.11.6.el7.

RedHat 7

RedHat kernel should be equal or greater than 3.10.0-693.11.6.el7.

Oracle Linux 7

Oracle Linux kernel should be greater than kernel-uek-4.1.12-112.14.2.el7uek and/or 3.10.0-693.11.1.0.1.el7.OL7.

Debian 9 (Stretch)

Debian Stretch kernel should be equal or greater than 4.9.65-3.

Debian 8 (Jessie)

Debian Jessie kernel should be greater than 3.16.0-4.

Ubuntu 16.04

Ubuntu 16.04 kernel should be greater than 4.4.0-112.

Ubuntu 14.04

Ubuntu 14.04 kernel should be greater than 3.13.0-141.

Amazon Linux

Amazon Linux kernel should be equal or greater than 4.9.70-25.242.amzn1.

Windows and OS X

Check the latest updates to make sure that you have the already patched version of the kernel package.

How to patch it

It is of the utmost urgency to quickly address any security issue in applications distributed by Bitnami. Our team is working on updating all the affected Virtual Machines and Cloud Images available through Bitnami, for all our cloud providers partners. This will ensure that all the new launches will be secured against this issue. If you have any existing running server (virtual machines) or if you have a Bitnami stack installed on your computer, you will need to update the operating system on your own.

Once a new, patched kernel is available from the operating system vendor, you can update it by following these instructions (depending on your distribution/operating system):

  • Run the following command:

    • Ubuntu / Debian

        $ sudo apt-get update && sudo apt-get dist-upgrade
      
    • Oracle Linux, Red Hat, CentOS and Amazon Linux

        $ sudo yum update
      
    • Windows / OSX

      Update your system packages when the operating system suggests to.

      NOTE: Enable the “Check for updates” option in Windows in order to get the latest updates and patches.

  • Reboot your server/operating system.

Once you have completed the steps above, you will have the fixed version of the kernel/operating system running on your server. If you have any question about this process, you can visit our github repository. We will be happy to help!

Check the official Meltdown attack webpage for more information on these vulnerabilities.

Last modification December 21, 2022