—-Updated 1/10/18 1:25m EST—–
Ubuntu
Remediation Steps:
Ubuntu 14, 16, 17
apt-get update apt-get dist-upgrade
reboot to complete the update
—-Updated 1/8/18 10:55am EST—–
ProxMox
Remediation Steps:
Follow the instructions found at https://forum.proxmox.com/threads/meltdown-and-spectre-linux-kernel-fixes.39110/
—-Updated 1/6/18 3:03pm EST—–
Cloudlinux
yum clean all && yum update kernel-firmware && yum install kernel-2.6.32-896.16.1.lve1.4.49.el6
—-Updated 1/6/18 2:12pm EST—–
OS Specific Information
Redhat (CentOS & ScifiLinux included)
Performance impact details as provided by RedHat- The recent speculative execution CVEs address three potential attacks across a wide variety of architectures and hardware platforms, each requiring slightly different fixes. In many cases, these fixes also require microcode updates from the hardware vendors. Red Hat has delivered updated Red Hat Enterprise Linux kernels that focus on securing customer deployments. The nature of these vulnerabilities and their fixes introduces the possibility of reduced performance on patched systems. The performance impact depends on the hardware and the applications in place.
In order to provide more detail, Red Hat’s performance team has categorized the performance results for Red Hat Enterprise Linux 7, (with similar behavior on Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 5), on a wide varietyof benchmarks based on performance impact:
Measurable: 8-19% – Highly cached random memory, with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions are impacted between 8-19%. Examples include OLTP Workloads (tpc), sysbench,pgbench, netperf (< 256 byte), and fio (random I/O to NvME).
Modest: 3-7% – Database analytics, Decision Support System (DSS), and Java VMs are impacted less than the “Measurable” category. These applications may have significant sequential disk or network traffic, but kernel/device driversare able to aggregate requests to moderate level of kernel-to-user transitions. Examples include SPECjbb2005, Queries/Hour and overall analytic timing (sec).
Small: 2-5% – HPC (High Performance Computing) CPU-intensive workloads are affected the least with only 2-5% performance impact because jobs run mostly in user space and are scheduled using cpu-pinning or numa-control. Examples include Linpack NxN on x86 and SPECcpu2006.
Minimal: Linux accelerator technologies that generally bypass the kernel in favor of user direct access are the least affected, with less than 2% overhead measured. Examples tested include DPDK (VsPERF at 64 byte) and OpenOnload (STAC-N). Userspace accesses to VDSO like get-time-of-day are not impacted. We expect similar minimal impact for other offloads.
NOTE: Because microbenchmarks like netperf/uperf, iozone, and fio are designed to stress a specific hardware component or operation, their results are not generally representative of customer workload. Some microbenchmarks have shown a larger performance impact, related to the specific area they stress.
Source: https://access.redhat.com/articles/3307751
Remediation Steps:
- Login to root via SSH and run the following command: yum update.
- Confirm kernel can be downloaded, once accepting the new kernel it should download and install, once complete it will say “Complete!”
- Reboot the system to apply the kernel with the command: reboot now
Debian (Ubuntu)
No Updates have been released in regards to the CVE’s we will update this once more information has been provided by Debian and Ubuntu Security Teams. So please keep in mind to update at your own risk, and please keep in mind itlooks like these attacks have been known for sometime but they do not know if this has been used maliciously in the wild, so if you do not want to hammer performance or cannot afford to, you are advised against this update until further information has been provided to the public and the programming communities can then see what exactly needs to be patched in order for it to be completely secure.
Remediation Steps: awaiting
Clients with KernelCare (CentOS)
Kernelcare updates are likely going to be out Sunday/Monday for first releases for EL7 (RedHat/CentOS/CloudLinux 7). You can manually patch your server now if you choose not to wait for kernelcare updates by running CentOS kernal updates via yum update followed by a reboot.
Clients on Sparknode VMs
There are situations where the guests on the Xen Kernel based hypervisors do not reboot properly after updating the guest virtual maching. We are working on this situation and request you please check back routinetly for updates.
Windows Based Platforms
Remediation Steps:
Please check into Windows Updates and reboot the server to complete the installation. With windows there are also registry entries that need to be made, In fact they just added a 3rd one today. Also AV has to be update to be compatible and there is still issues with the mssql patches, It is also possible that even if the AV is updated the update will not be pulled by windows update which means a 4th registry entry has to be made.
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
https://support.microsoft.com/en-us/help/4072699
https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server
VMware
VMWare has posted information for each version at the link below-
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
—-Updated 1/5/18 6:00pm EST—-
It has recently been discovered that most Intel processors contain 2 exploits known as Meltdown and Spectre. Security engineers within Intel and each operating system’s community are working to provide patches to eliminate this threat. We will provide timely updates regarding the situation as new information and patches are released.
Windows dedicated server customers- Microsoft has already released a patch so you will want to make sure you have performed your updates today. We have provided a link below to an article covering how to ensure your anti-virus is not blocking this patch.
Managed Linux dedicated server customers– If you are running CentOS 6.x or 7.x we have updated your kernel already and now you just need to perform a reboot. We are, however, asking each customer to go ahead and perform one more Yum update themselves prior to the reboot just to be safe. For our managed customers not running Redhat, CentOS 6 or 7 please be on the lookout for emails from us providing important information regarding our patching your server(s) and possible instruction to immediately reboot your server. cPanel has posted their latest updates on the subject here.
Self-managed Linux dedicated server customers– please be diligent in your research of how to patch your particular environment and OS. We will post timely updates and instruction per OS as it becomes available. Redhat, CentOS 6 and 7 should be able to patch their servers now by performing a Yum update followed by a reboot.
You can find more information regarding Meltdown and Spectre at:
- https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
- https://meltdownattack.com/
- https://www.cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux
- https://www.redhat.com/en/blog/what-are-meltdown-and-spectre-here%E2%80%99s-what-you-need-know?sc_cid=7016000000127NJAAY
- https://www.zdnet.com/article/windows-meltdown-spectre-fix-how-to-check-if-your-av-is-blocking-microsoft-patch/
- https://documentation.cpanel.net/display/CKB/Meltdown+-+CVE-2017-5753+CVE-2017-5715+CVE-2017-5754