Meltdown and Spectre Security Vulnerabilities (updated 28 Feb 2018)
Update 28 Feb 2018
Since the announcement of Spectre and Meltdown CPU vulnerabilities in early January, Nectar has been monitoring industry and vendor responses.
The situation is still evolving and patches to mitigate these vulnerabilities are still being developed. Some Nectar Nodes (the research cloud’s infrastructure operators) have applied initial patches addressing one of the vulnerabilities, however there have been a number of stability issues reported in the industry with early CPU microcode updates and OS mitigations, that are still not fully addressed.
The Spectre variant 2 vulnerability requires CPU microcode updates to fully mitigate, these are not yet available for all the server processor families used within the research cloud.
Nectar Core Services is reviewing information as it becomes available and will advise Nodes on next steps soon after. Nectar notes that many of the nodes have significant skills in this area independent of Core Services and is grateful for support from the nodes.
End-users must also patch/update their existing research cloud server instances to mitigate these vulnerabilities within their systems running on the research cloud. OVH provides a useful reference page (https://docs.ovh.com/fr/dedicated/meltdown-spectre-kernel-update-per-operating-system/) listing the vulnerability status of various operating systems and links to vendor and/or community source information.
Nectar Glance image updates
Nectar official images have been updated to include the latest mitigations as provided by each of the distributions.
The latest images including these fixes are listed below:
NeCTAR CentOS 6 x86_64
NeCTAR CentOS 7 x86_64
NeCTAR Debian 7 (Wheezy) amd64
NeCTAR Debian 8 (Jessie) amd64
NeCTAR Debian 9 (Stretch) amd64
NeCTAR Fedora 26 x86_64
NeCTAR Scientific Linux 6 x86_64
NeCTAR Ubuntu 14.04 (Trusty) amd64
NeCTAR Ubuntu 16.04 LTS (Xenial) amd64
NeCTAR Ubuntu 17.10 (Artful) amd64
NeCTAR openSUSE Leap 42.3 x86_64
For existing virtual machines, you should ensure your packages are up to date to include the mitigations and reboot to use the updated kernel.
Host kernel updates and CPU microcode updates (which will be required on Intel hosts) will likely be disruptive to end-users. Nectar Nodes will plan these outages and communicate impact to users.
<< Previous announcements on this topic below>>
4th January 2018
In the last day or so two related security vulnerabilities, Meltdown and Spectre, have been in news headlines. These vulnerabilities potentially allow another process on the same host as your process to view your in-memory data.
Nectar End User Impact
End User VM’s may need to be rebooted after patches to the hypervisor Operating System have been applied. Further notice will be given if and when reboots are being scheduled.
Nectar Core Services is aware of the issues raised by these vulnerabilities and is working with Nectar Sites in preparing to take remedial actions as necessary, and to apply security patches as they become available from vendors and the software community.
The Meltdown vulnerability only affects Intel based processors, the Nectar compute resource is made up of a mixture of Intel and AMD cpu resources. Responding to Meltdown is straightforward but will be disruptive. Reboots of Intel based parts of the Nectar cloud will be necessary which will consequently require some user VMs being rebooted. We will provide advance notification for any reboots.
Responses to the Spectre vulnerability are still in development internationally. Nectar will implement mitigation strategies and patches as and when they become available.
All Cloud providers are dealing with these vulnerabilities presently - announcements and responses by Public Cloud providers are available at:
1 person likes this