Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Meltdown and Spectre Vulnerabilities"

From EGIWiki
Jump to navigation Jump to search
Line 222: Line 222:


== Xen  ==
== Xen  ==
[as of January 23]


* [https://xenbits.xen.org/xsa/advisory-254.html https://xenbits.xen.org/xsa/advisory-254.html]
* [https://xenbits.xen.org/xsa/advisory-254.html https://xenbits.xen.org/xsa/advisory-254.html]

Revision as of 15:12, 23 January 2018

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Meltdown and Spectre Vulnerabilities


Purpose of this page

To provide useful links and other information concerning the Meltdown and Spectre vulnerabilities, which we consider relevant to the EGI infrastructure. We are continuing to add new information when we become aware of it, and the situation continues to change (19th January 2018).

What are they?

These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.

Meltdown affects most Intel chips, and has CVE-2017-5754

Spectre affects a wide range of chips, CVE-2017-5753 and CVE-2017-5715.

Here you will find more information  http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/

https://meltdownattack.com/ , https://spectreattack.com/ and https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html

CERN information

CERN has compiled information which is useful for many EGI sites

https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml

Intel Information

Product patches:

https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File

Revised recommendations from 17th January 2018:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Update regarding progress on reboot issue for some platforms [as of January 22nd]:

https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/

RedHat Information

Important! [as of 17th January]

RedHat has issued new microcode_ctl packages to rollback the latest updates, see https://access.redhat.com/errata/RHSA-2018:0093.


RedHat description:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

https://access.redhat.com/articles/3307751 (subscription required)

https://access.redhat.com/solutions/3315431 (subscription required)


RedHat CVE info: [1]

https://access.redhat.com/security/cve/CVE-2017-5754

https://access.redhat.com/security/cve/CVE-2017-5753

https://access.redhat.com/security/cve/CVE-2017-5715


RHEL6:

kernel-2.6.32-696.18.7.el6: https://access.redhat.com/errata/RHSA-2018:0008

microcode_ctl-1.17-25.2.el6_9: https://access.redhat.com/errata/RHSA-2018:0013

Important! [as of 13th January]

There appears to be a bug with the microcode_ctl update for Intel model 79 processors (Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz, Intel(R) Xeon(R) CPU E5-2643 v4 @ 3.40GHz, Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.20GHz and Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.50GHz). The system fails to boot due to udev rules. There is no solution to the problem but to downgrade the microcode_ctl package. For more information, see: https://bugzilla.redhat.com/show_bug.cgi?id=1532283

https://access.redhat.com/solutions/3314661


RHEL7:

kernel-3.10.0-693.11.6.el7: https://access.redhat.com/errata/RHSA-2018:0007

microcode_ctl-2.1-22.2.el7: https://access.redhat.com/errata/RHSA-2018:0012

linux-firmware-20170606-57.gitc990aae.el7_4: https://access.redhat.com/errata/RHSA-2018:0014


qemu-kvm:

RHEL6:

qemu-kvm: https://access.redhat.com/errata/RHSA-2018:0024

libvirt: https://access.redhat.com/errata/RHSA-2018:0030

RHEL7:

qemu-kvm: https://access.redhat.com/errata/RHSA-2018:0023

libvirt: https://access.redhat.com/errata/RHSA-2018:0029

CentOS Information

Important! [as of 17th January]

Centos seems to be following Redhat in the revert of the microcode_ctl package, see the disclaimer in the sources of the last package:

This update supersedes microcode provided  by Red Hat with the CVE-2017-5715 (“Spectre”)
CPU branch injection vulnerability mitigation.  (HIstorically, Red Hat has provided updated
microcode, developed by our microprocessor partners, as a customer convenience.)  Further
testing has uncovered problems with the microcode provided along with the “Spectre” mitigation
that could lead to system instabilities.  As a result, Red Hat is providing an microcode update
that reverts to the last known good microcode version dated before 03 January 2018.
Red Hat strongly recommends that customers contact their hardware provider for the latest microcode updates.

IMPORTANT: Customers using Intel Skylake-, Broadwell-, and Haswell-based platforms must obtain and
install updated microcode from their hardware vendor immediately. The "Spectre" mitigation requires
both an updated kernel from Red Hat and updated microcode from your hardware vendor.


CentOS 7:

CentOS 6:

See further in the centos-announce Security mails for January https://lists.centos.org/pipermail/centos-announce/2018-January/date.html

Some RedHat Linux related issues found

A serious bug in the microcode updates for some Intel CPUs (model 79) as distributed by Redhat (at least for RHEL 6 and derivatives) was found by one site and reported to us. This update rendered systems unbootable.

https://bugzilla.redhat.com/show_bug.cgi?id=1532283

https://access.redhat.com/solutions/3314661

RedHat info on performance:--

https://access.redhat.com/articles/3311301

Scientific Linux

Important! [as of 18th January]

Scientific Linux is following RedHat in the revert of the microcode_ctl package, see https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/:

This update supersedes the previous microcode update provided with the
CVE-2017-5715 (Spectre) CPU branch injection vulnerability mitigation.
Further testing has uncovered problems with the microcode provided along
with the Spectre mitigation that could lead to system instabilities.

As a result, this microcode update reverts to the last known good
microcode version dated before 03 January 2018.

You should contact your hardware provider for the latest microcode updates.

IMPORTANT: If you are using Intel Skylake-, Broadwell-, and Haswell-based
platforms, obtain and install updated microcode from your hardware
vendor immediately. The "Spectre" mitigation requires both an updated
kernel and updated microcode from your hardware vendor. 

SL6:

https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/

SL7:

https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/


qemu-kvn:

SL6:

qemu-kvm: http://scientificlinux.org/category/sl-errata/slsa-20180024-1/

libvirt: http://scientificlinux.org/category/sl-errata/slsa-20180030-1/

SL7:

qemu-kvm: http://scientificlinux.org/category/sl-errata/slsa-20180023-1/

libvirt: http://scientificlinux.org/category/sl-errata/slsa-20180029-1/

Ubuntu

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Supermicro

https://www.supermicro.com/support/security_Intel-SA-00088.cfm

Dell products

Important! [as of 23rd January]

Dell is advising that all customers and partners should not deploy the BIOS update for the Spectre vulnerability at this time due to Intel’s advisory acknowledging reboot issues and unpredictable system behaviour.

http://www.dell.com/support/contents/uk/en/ukbsdt1/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre


https://www.dell.com/support/article/uk/en/ukbsdt1/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en

Note this is changing rather frequently

HPE products

HPE has updated their advisory to note that "Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues" - so following suit with DELL.

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-hpesbhf03805en_us

Xen

[as of January 23]

Other Cloud related

In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated:

https://www.qemu.org/2018/01/04/spectre/