|
|
(34 intermediate revisions by 6 users not shown) |
Line 1: |
Line 1: |
| {{svg-header}} | | {{svg-header}} |
| | | {{DeprecatedAndMovedTo|new_location=https://advisories.egi.eu/Meltdown_and_Spectre_Vulnerabilities}} |
| More information is likely to be added in the coming days. This is an initial version.
| |
| | |
| == Purpose of this page ==
| |
| | |
| To provide useful links and other information concerning the Meltdown and Spectre vulnerabilities, which we consider relevant to the EGI infrastructure.
| |
| | |
| == What are they? ==
| |
| | |
| These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.
| |
| | |
| Meltdown affects most Intel chips, and has CVE-2017-5754
| |
| | |
| Spectre affects a wide range of chips, CVE-2017-5753 and CVE-2017-5715.
| |
| | |
| Here you will find more information [http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/ http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/]
| |
| | |
| [https://meltdownattack.com/ https://meltdownattack.com/ ], [https://spectreattack.com/ https://spectreattack.com/] and [https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html]
| |
| | |
| == CERN information ==
| |
| | |
| CERN has compiled information which is useful for many EGI sites
| |
| | |
| [https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml]
| |
| | |
| == Intel Information ==
| |
| | |
| Product patches
| |
| | |
| [https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File]
| |
| | |
| == RedHat Information ==
| |
| | |
| RedHat description:
| |
| | |
| [https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/security/vulnerabilities/speculativeexecution]
| |
| | |
| [https://access.redhat.com/articles/3307751 https://access.redhat.com/articles/3307751]
| |
| | |
| <br>
| |
| | |
| RedHat CVE info: [https://access.redhat.com/security/cve/CVE-2017-5754]
| |
| | |
| [https://access.redhat.com/security/cve/CVE-2017-5754 https://access.redhat.com/security/cve/CVE-2017-5754]
| |
| | |
| [https://access.redhat.com/security/cve/CVE-2017-5753 https://access.redhat.com/security/cve/CVE-2017-5753]
| |
| | |
| [https://access.redhat.com/security/cve/CVE-2017-5715 https://access.redhat.com/security/cve/CVE-2017-5715]
| |
| | |
| <br>
| |
| | |
| RHEL6:
| |
| | |
| kernel-2.6.32-696.18.7.el6: [https://access.redhat.com/errata/RHSA-2018:0008 https://access.redhat.com/errata/RHSA-2018:0008]
| |
| | |
| microcode_ctl-1.17-25.2.el6_9: [https://access.redhat.com/errata/RHSA-2018:0013 https://access.redhat.com/errata/RHSA-2018:0013]
| |
| | |
| '''Important! [as of 13th January]'''
| |
| | |
| There appears to be a bug with the microcode_ctl update for Intel model 79 processors (Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz, Intel(R) Xeon(R) CPU E5-2643 v4 @ 3.40GHz, Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.20GHz and Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.50GHz). The system fails to boot due to udev rules. There is no solution to the problem but to downgrade the microcode_ctl package. For more information, see: https://bugzilla.redhat.com/show_bug.cgi?id=1532283
| |
| | |
| https://access.redhat.com/solutions/3314661
| |
| | |
| <br> RHEL7:
| |
| | |
| kernel-3.10.0-693.11.6.el7: [https://access.redhat.com/errata/RHSA-2018:0007 https://access.redhat.com/errata/RHSA-2018:0007]
| |
| | |
| microcode_ctl-2.1-22.2.el7: [https://access.redhat.com/errata/RHSA-2018:0012 https://access.redhat.com/errata/RHSA-2018:0012]
| |
| | |
| linux-firmware-20170606-57.gitc990aae.el7_4: [https://access.redhat.com/errata/RHSA-2018:0014 https://access.redhat.com/errata/RHSA-2018:0014]
| |
| | |
| <br> qemu-kvm:
| |
| | |
| RHEL6:
| |
| | |
| qemu-kvm: [https://access.redhat.com/errata/RHSA-2018:0024 https://access.redhat.com/errata/RHSA-2018:0024]
| |
| | |
| libvirt: [https://access.redhat.com/errata/RHSA-2018:0030 https://access.redhat.com/errata/RHSA-2018:0030]
| |
| | |
| RHEL7:
| |
| | |
| qemu-kvm: [https://access.redhat.com/errata/RHSA-2018:0023 https://access.redhat.com/errata/RHSA-2018:0023]
| |
| | |
| libvirt: [https://access.redhat.com/errata/RHSA-2018:0029 https://access.redhat.com/errata/RHSA-2018:0029]
| |
| | |
| == CentOS Information ==
| |
| | |
| CentOS 7:
| |
| | |
| * kernel Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html CESA-2018:0007]
| |
| * microcode_ctl Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022697.html CESA-2018:0012] <br> also needs dracut BugFix Update for AMD: [https://lists.centos.org/pipermail/centos-announce/2018-January/022708.html CEBA-2018:0042]
| |
| * linux-firmware Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022698.html CESA-2018:0014]
| |
| * qemu-kvm Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022705.html CESA-2018:0023]
| |
| * libvirt Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022704.html CESA-2018:0029]
| |
| | |
| CentOS 6:
| |
| | |
| * kernel Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022701.html CESA-2018:0008]
| |
| * microcode_ctl Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022700.html CESA-2018:0013]
| |
| * qemu-kvm Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022702.html CESA-2018:0024]
| |
| * libvirt Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022703.html CESA-2018:0030]
| |
| | |
| See further in the centos-announce Security mails for January
| |
| [https://lists.centos.org/pipermail/centos-announce/2018-January/date.html https://lists.centos.org/pipermail/centos-announce/2018-January/date.html]
| |
| | |
| == Some RedHat Linux related issues found ==
| |
| | |
| A serious bug in the microcode updates for some Intel CPUs (model 79) as distributed by Redhat (at least for RHEL 6 and derivatives) was found by one site and reported to us.
| |
| This update rendered systems unbootable.
| |
| | |
| [https://bugzilla.redhat.com/show_bug.cgi?id=1532283 https://bugzilla.redhat.com/show_bug.cgi?id=1532283]
| |
| | |
| [https://access.redhat.com/solutions/3314661 https://access.redhat.com/solutions/3314661]
| |
| | |
| == Scientific Linux ==
| |
| | |
| SL6:
| |
| | |
| [https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/]
| |
| | |
| SL7:
| |
| | |
| [https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/]
| |
| | |
| <br>
| |
| | |
| qemu-kvn:
| |
| | |
| SL6:
| |
| | |
| qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180024-1/ http://scientificlinux.org/category/sl-errata/slsa-20180024-1/]
| |
| | |
| libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180030-1/ http://scientificlinux.org/category/sl-errata/slsa-20180030-1/]
| |
| | |
| SL7:
| |
| | |
| qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180023-1/ http://scientificlinux.org/category/sl-errata/slsa-20180023-1/]
| |
| | |
| libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180029-1/ http://scientificlinux.org/category/sl-errata/slsa-20180029-1/]
| |
| | |
| == Ubuntu ==
| |
| | |
| [https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown]
| |
| | |
| == Xen ==
| |
| | |
| * [https://xenbits.xen.org/xsa/advisory-254.html https://xenbits.xen.org/xsa/advisory-254.html]
| |
| * [https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/ https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/]
| |
| * [https://wiki.xenproject.org/wiki/Xen_Project_Meltdown_and_Spectre_Technical_FAQ https://wiki.xenproject.org/wiki/Xen_Project_Meltdown_and_Spectre_Technical_FAQ]
| |
| * [https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre]
| |
| | |
| == Other Cloud related ==
| |
| | |
| In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated:
| |
| | |
| [https://www.qemu.org/2018/01/04/spectre/ https://www.qemu.org/2018/01/04/spectre/]
| |