Meltdown and Spectre Security Vulnerabilities (updated 28 Feb 2018)
Wilfred Brimblecombe
started a topic
over 5 years ago
Update 28 Feb 2018
Since the announcement of Spectre and Meltdown CPU vulnerabilities in early January, Nectar has been monitoring industry and vendor responses.
The situation is still evolving and patches to mitigate these vulnerabilities are still being developed. Some Nectar Nodes (the research cloud’s infrastructure operators) have applied initial patches addressing one of the vulnerabilities, however there have been a number of stability issues reported in the industry with early CPU microcode updates and OS mitigations, that are still not fully addressed.
The Spectre variant 2 vulnerability requires CPU microcode updates to fully mitigate, these are not yet available for all the server processor families used within the research cloud.
Nectar Core Services is reviewing information as it becomes available and will advise Nodes on next steps soon after. Nectar notes that many of the nodes have significant skills in this area independent of Core Services and is grateful for support from the nodes.
End-users must also patch/update their existing research cloud server instances to mitigate these vulnerabilities within their systems running on the research cloud. OVH provides a useful reference page (https://docs.ovh.com/fr/dedicated/meltdown-spectre-kernel-update-per-operating-system/) listing the vulnerability status of various operating systems and links to vendor and/or community source information.
Nectar Glance image updates
Nectar official images have been updated to include the latest mitigations as provided by each of the distributions.
The latest images including these fixes are listed below:
ID
Name
Build
Build Date
6667e555-5be0-4ee7-a781-02207fd9d736
NeCTAR CentOS 6 x86_64
68
2018-02-07
d87a2d42-6a90-4d7d-918c-988e9ab13b56
NeCTAR CentOS 7 x86_64
73
2018-02-08
31edf066-20fc-44e5-bde8-f6b39da46777
NeCTAR Debian 7 (Wheezy) amd64
68
2018-02-07
2a220f28-71fd-4a40-8342-7ed7177bd8d0
NeCTAR Debian 8 (Jessie) amd64
61
2018-02-08
8cdf754b-50a7-4845-b42c-863c52abea1b
NeCTAR Debian 9 (Stretch) amd64
17
2018-02-08
0081a397-e2e8-4342-8494-08414627fc1f
NeCTAR Fedora 26 x86_64
3
2018-02-08
4f3ea186-8b91-4a21-9df9-1d8bf0175a60
NeCTAR Scientific Linux 6 x86_64
48
2018-02-20
124ac81e-1878-4282-be0c-55f46c67a6d0
NeCTAR Ubuntu 14.04 (Trusty) amd64
93
2018-02-27
f82012f7-5042-48aa-81c2-a59684840c23
NeCTAR Ubuntu 16.04 LTS (Xenial) amd64
30
2018-02-27
d6929048-3a81-4bf7-b5ef-d69bd67219ba
NeCTAR Ubuntu 17.10 (Artful) amd64
5
2018-02-27
b7a491e6-1e6f-46d6-8593-fa0b88efd614
NeCTAR openSUSE Leap 42.3 x86_64
5
2018-02-07
For existing virtual machines, you should ensure your packages are up to date to include the mitigations and reboot to use the updated kernel.
Hypervisor updates
Host kernel updates and CPU microcode updates (which will be required on Intel hosts) will likely be disruptive to end-users. Nectar Nodes will plan these outages and communicate impact to users.
<< Previous announcements on this topic below>>
4th January 2018
In the last day or so two related security vulnerabilities, Meltdown and Spectre, have been in news headlines. These vulnerabilities potentially allow another process on the same host as your process to view your in-memory data.
Nectar End User Impact End User VM’s may need to be rebooted after patches to the hypervisor Operating System have been applied. Further notice will be given if and when reboots are being scheduled.
Detail
Nectar Core Services is aware of the issues raised by these vulnerabilities and is working with Nectar Sites in preparing to take remedial actions as necessary, and to apply security patches as they become available from vendors and the software community.
The Meltdown vulnerability only affects Intel based processors, the Nectar compute resource is made up of a mixture of Intel and AMD cpu resources. Responding to Meltdown is straightforward but will be disruptive. Reboots of Intel based parts of the Nectar cloud will be necessary which will consequently require some user VMs being rebooted. We will provide advance notification for any reboots.
Responses to the Spectre vulnerability are still in development internationally. Nectar will implement mitigation strategies and patches as and when they become available.
All Cloud providers are dealing with these vulnerabilities presently - announcements and responses by Public Cloud providers are available at:
Wilfred Brimblecombe
Update 28 Feb 2018
Since the announcement of Spectre and Meltdown CPU vulnerabilities in early January, Nectar has been monitoring industry and vendor responses.
The situation is still evolving and patches to mitigate these vulnerabilities are still being developed. Some Nectar Nodes (the research cloud’s infrastructure operators) have applied initial patches addressing one of the vulnerabilities, however there have been a number of stability issues reported in the industry with early CPU microcode updates and OS mitigations, that are still not fully addressed.
The Spectre variant 2 vulnerability requires CPU microcode updates to fully mitigate, these are not yet available for all the server processor families used within the research cloud.
Nectar Core Services is reviewing information as it becomes available and will advise Nodes on next steps soon after. Nectar notes that many of the nodes have significant skills in this area independent of Core Services and is grateful for support from the nodes.
End-users must also patch/update their existing research cloud server instances to mitigate these vulnerabilities within their systems running on the research cloud. OVH provides a useful reference page (https://docs.ovh.com/fr/dedicated/meltdown-spectre-kernel-update-per-operating-system/) listing the vulnerability status of various operating systems and links to vendor and/or community source information.
Nectar Glance image updates
Nectar official images have been updated to include the latest mitigations as provided by each of the distributions.
The latest images including these fixes are listed below:
ID
Name
Build
Build Date
6667e555-5be0-4ee7-a781-02207fd9d736
NeCTAR CentOS 6 x86_64
68
2018-02-07
d87a2d42-6a90-4d7d-918c-988e9ab13b56
NeCTAR CentOS 7 x86_64
73
2018-02-08
31edf066-20fc-44e5-bde8-f6b39da46777
NeCTAR Debian 7 (Wheezy) amd64
68
2018-02-07
2a220f28-71fd-4a40-8342-7ed7177bd8d0
NeCTAR Debian 8 (Jessie) amd64
61
2018-02-08
8cdf754b-50a7-4845-b42c-863c52abea1b
NeCTAR Debian 9 (Stretch) amd64
17
2018-02-08
0081a397-e2e8-4342-8494-08414627fc1f
NeCTAR Fedora 26 x86_64
3
2018-02-08
4f3ea186-8b91-4a21-9df9-1d8bf0175a60
NeCTAR Scientific Linux 6 x86_64
48
2018-02-20
124ac81e-1878-4282-be0c-55f46c67a6d0
NeCTAR Ubuntu 14.04 (Trusty) amd64
93
2018-02-27
f82012f7-5042-48aa-81c2-a59684840c23
NeCTAR Ubuntu 16.04 LTS (Xenial) amd64
30
2018-02-27
d6929048-3a81-4bf7-b5ef-d69bd67219ba
NeCTAR Ubuntu 17.10 (Artful) amd64
5
2018-02-27
b7a491e6-1e6f-46d6-8593-fa0b88efd614
NeCTAR openSUSE Leap 42.3 x86_64
5
2018-02-07
For existing virtual machines, you should ensure your packages are up to date to include the mitigations and reboot to use the updated kernel.
Hypervisor updates
Host kernel updates and CPU microcode updates (which will be required on Intel hosts) will likely be disruptive to end-users. Nectar Nodes will plan these outages and communicate impact to users.
<< Previous announcements on this topic below>>
4th January 2018
In the last day or so two related security vulnerabilities, Meltdown and Spectre, have been in news headlines. These vulnerabilities potentially allow another process on the same host as your process to view your in-memory data.
Nectar End User Impact
End User VM’s may need to be rebooted after patches to the hypervisor Operating System have been applied. Further notice will be given if and when reboots are being scheduled.
Detail
Nectar Core Services is aware of the issues raised by these vulnerabilities and is working with Nectar Sites in preparing to take remedial actions as necessary, and to apply security patches as they become available from vendors and the software community.
The Meltdown vulnerability only affects Intel based processors, the Nectar compute resource is made up of a mixture of Intel and AMD cpu resources. Responding to Meltdown is straightforward but will be disruptive. Reboots of Intel based parts of the Nectar cloud will be necessary which will consequently require some user VMs being rebooted. We will provide advance notification for any reboots.
Responses to the Spectre vulnerability are still in development internationally. Nectar will implement mitigation strategies and patches as and when they become available.
All Cloud providers are dealing with these vulnerabilities presently - announcements and responses by Public Cloud providers are available at:
AWS (Amazon)
Azure (Microsoft)
Google
DigitalOcean
1 person likes this