What are Meltdown and Spectre?
Meltdown and Spectre are vulnerabilities in the design of modern CPUs. The details of these vulnerabilities were published on the 4th of January, 2018. These exploits allow an attacker to use a specially crafted application to reveal the contents of system and application memory. These attacks work because the normal privileges checking behavior within the processor is subverted through the use of features like speculative execution, branch prediction, out-of-order execution, and caching.
How do I know if I'm affected and how can I protect myself?
Meltdown and Spectre affect a majority of modern processors. The processor optimizations that are abused in these vulnerabilities are a core design feature of most CPUs, meaning that most systems are in a vulnerable state until specifically patched. This includes desktop computers, servers, and compute instances operating in Cloud environments.
Operating System vendors are releasing patches for the Meltdown vulnerability. Spectre itself represents an entire class of vulnerabilities that will require ongoing remediation to remain secure.
Full protection against these vulnerabilities will likely require changes in CPU designs. For the meantime, software updates can provide protection from the vulnerabilities by disabling or working around some of the optimization behavior that leads to these vulnerabilities.
Unfortunately, because these patches affect the optimization routines within the processor, these patches may decrease the performance of your server. The extent of the slowdown is highly dependent on the type of processing being performed, with I/O intensive processes experiencing the largest impact.
Anyone with a shared hosting or managed services account will not have to take action, updates will be done by CanHost staff.
Distributions that have released kernel updates with partial mitigation include (These may change as more kernel updates are released):
- CentOS 7: kernel 3.10.0-693.11.6
- CentOS 6: kernel 2.6.32-696.18.7
- Fedora 27: kernel 4.14.11-300
- Fedora 26: kernel 4.14.11-200
- Ubuntu 17.10: kernel 4.13.0-25-generic
- Ubuntu 16.04: kernel 4.4.0-109-generic
- Ubuntu 14.04: kernel 3.13.0-139-generic
- Debian 9: kernel 4.9.0-5-amd64
- Debian 8: kernel 3.16.0-5-amd64
- Debian 7: kernel 3.2.0-5-amd64
- Fedora 27 Atomic: kernel 4.14.11-300.fc27.x86_64
- CoreOS: kernel 4.14.11-coreos
Windows environments will contain patches in the latest Windows Updates.
How To Apply Updates:
For Debian/Ubuntu Servers
$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo reboot
For RHEL/CentOS Servers
$ sudo yum update
$ sudo reboot
For Windows Servers
- Apply the latest Windows Updates
Please note that End Of Life (EOL) operating systems will not receive patches. Please contact us for support if this happens to be the case for your system.
Thursday, January 11, 2018