Subject: perfSONAR Announcements
[perfsonar-announce] Important iperf3 security update
- From: Andrew Lake <>
- To: , "" <>
- Subject: [perfsonar-announce] Important iperf3 security update
- Date: Wed, 8 Jun 2016 16:15:36 -0400
See the attached message for details on an important security fix to iperf3. It is highly recommended all perfSONAR users update to iperf3 version 3.1.3 as soon as possible. If you are running auto-updates you should get the new version within the next 24-48 hours (if not already) depending on how quickly mirrors update. If you are not running auto-updates, you may run “yum update iperf3” on CentOS/RedHat or "apt-get update && apt-get upgrade iperf3" on Debian/Ubuntu. If you don’t see the update yet, please be patient as the packages were just uploaded prior to the sending of this note and the mirrors need time to sync.
Though everyone should update as soon as possible, it should be stated that the way in which the average perfSONAR box executes iperf3 should limit the severity of any potential attacks from this vulnerability in the following ways:
- In the perfSONAR use case, the iperf3 client and server processes are started by the BWCTL command as an unprivileged ‘bwctl’ user. This limits the types of things an attacker can do on the system. Likely they could interrupt the iperf3 process, but it is not clear they could do much else on a properly configured host.
- BWCTL only runs iperf3 for a few seconds at a time and then closes the connection, minimizing the time window in which things may be vulnerable. This is further minimized by the fact that the vulnerability only exists during the exchange of test parameters and not other parts of the protocol exchange (such as when the test is running and results are reported).
Regardless of these facts though, the best course of action is to update as soon as you can to eliminate the vulnerability entirely.
Once again, for further details see the official announcement from the iperf3 project shown below. Also let us know if you have any further questions regarding how this may affect your perfSONAR box.
The perfSONAR Development Team
On June 8, 2016 at 3:02:59 PM, Bruce Mah () wrote:
- [perfsonar-announce] Important iperf3 security update, Andrew Lake, 06/08/2016
Archive powered by MHonArc 2.6.16.