SVG:Meltdown and Spectre Vulnerabilities
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Meltdown and Spectre Vulnerabilities
More information is likely to be added in the coming days. This is an initial version.
Purpose of this page
To provide useful links and other information concerning the Meltdown and Spectre vulnerabilities, which we consider relevant to the EGI infrastructure.
What are they?
These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.
Meltdown affects most Intel chips, and has CVE-2017-5754
Spectre affects a wide range of chips, CVE-2017-5753 and CVE-2017-5715.
Here you will find more information http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/
https://meltdownattack.com/ , https://spectreattack.com/ and https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html
CERN information
CERN has compiled information which is useful for many EGI sites
https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml
Intel Information
Product patches
https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File
RedHat Information
RedHat description:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://access.redhat.com/articles/3307751
RedHat CVE info: [1]
https://access.redhat.com/security/cve/CVE-2017-5754
https://access.redhat.com/security/cve/CVE-2017-5753
https://access.redhat.com/security/cve/CVE-2017-5715
RHEL6:
kernel-2.6.32-696.18.7.el6: https://access.redhat.com/errata/RHSA-2018:0008
microcode_ctl-1.17-25.2.el6_9: https://access.redhat.com/errata/RHSA-2018:0013
Important!
There appears to be a bug with the microcode_ctl update for Intel model 79 processors (Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz, Intel(R) Xeon(R) CPU E5-2643 v4 @ 3.40GHz, Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.20GHz and Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.50GHz). The system fails to boot due to udev rules. There is no solution to the problem but to downgrade the microcode_ctl package. For more information, see: https://bugzilla.redhat.com/show_bug.cgi?id=1532283
https://access.redhat.com/solutions/3314661
RHEL7:
kernel-3.10.0-693.11.6.el7: https://access.redhat.com/errata/RHSA-2018:0007
microcode_ctl-2.1-22.2.el7: https://access.redhat.com/errata/RHSA-2018:0012
linux-firmware-20170606-57.gitc990aae.el7_4: https://access.redhat.com/errata/RHSA-2018:0014
qemu-kvm:
RHEL6:
qemu-kvm: https://access.redhat.com/errata/RHSA-2018:0024
libvirt: https://access.redhat.com/errata/RHSA-2018:0030
RHEL7:
qemu-kvm: https://access.redhat.com/errata/RHSA-2018:0023
libvirt: https://access.redhat.com/errata/RHSA-2018:0029
CentOS Information
CentOS 7:
- kernel Security Update: CESA-2018:0007
- microcode_ctl Security Update: CESA-2018:0012
also needs dracut BugFix Update for AMD: CEBA-2018:0042 - linux-firmware Security Update: CESA-2018:0014
- qemu-kvm Security Update: CESA-2018:0023
- libvirt Security Update: CESA-2018:0029
CentOS 6:
- kernel Security Update: CESA-2018:0008
- microcode_ctl Security Update: CESA-2018:0013
- qemu-kvm Security Update: CESA-2018:0024
- libvirt Security Update: CESA-2018:0030
See further in the centos-announce Security mails for January https://lists.centos.org/pipermail/centos-announce/2018-January/date.html
A serious bug in the microcode updates for some Intel CPUs (model 79) as distributed by Redhat (at least for RHEL 6 and derivatives) was found by one site and reported to us. This update rendered systems unbootable.
https://bugzilla.redhat.com/show_bug.cgi?id=1532283
[https://access.redhat.com/solutions/3314661 https://access.redhat.com/solutions/3314661
Scientific Linux
SL6:
https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/
SL7:
https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/
qemu-kvn:
SL6:
qemu-kvm: http://scientificlinux.org/category/sl-errata/slsa-20180024-1/
libvirt: http://scientificlinux.org/category/sl-errata/slsa-20180030-1/
SL7:
qemu-kvm: http://scientificlinux.org/category/sl-errata/slsa-20180023-1/
libvirt: http://scientificlinux.org/category/sl-errata/slsa-20180029-1/
Ubuntu
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
Xen
- https://xenbits.xen.org/xsa/advisory-254.html
- https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/
- https://wiki.xenproject.org/wiki/Xen_Project_Meltdown_and_Spectre_Technical_FAQ
- https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre
The Kernel update of the hypervisor appears to be enough to ensure the isolation of the VMs.