forums

Meltdown and Spectre Security Vulnerabilities (updated 28 Feb 2018)

Update 28 Feb 2018

Since the announcement of Spectre and Meltdown CPU vulnerabilities in early January, Nectar has been monitoring industry and vendor responses.


The situation is still evolving and patches to mitigate these vulnerabilities are still being developed. Some Nectar Nodes (the research cloud’s infrastructure operators) have applied initial patches addressing one of the vulnerabilities, however there have been a number of stability issues reported in the industry with early CPU microcode updates and OS mitigations, that are still not fully addressed.

The Spectre variant 2 vulnerability requires CPU microcode updates to fully mitigate, these are not yet available for all the server processor families used within the research cloud.


Nectar Core Services is reviewing information as it becomes available and will advise Nodes on next steps soon after. Nectar notes that many of the nodes have significant skills in this area independent of Core Services and is grateful for support from the nodes.


End-users must also patch/update their existing research cloud server instances to mitigate these vulnerabilities within their systems running on the research cloud. OVH provides a useful reference page (https://docs.ovh.com/fr/dedicated/meltdown-spectre-kernel-update-per-operating-system/) listing the vulnerability status of various operating systems and links to vendor and/or community source information.


Nectar Glance image updates

Nectar official images have been updated to include the latest mitigations as provided by each of the distributions.


The latest images including these fixes are listed below:



ID

Name

Build

Build Date

6667e555-5be0-4ee7-a781-02207fd9d736

NeCTAR CentOS 6 x86_64

68

2018-02-07

d87a2d42-6a90-4d7d-918c-988e9ab13b56

NeCTAR CentOS 7 x86_64

73

2018-02-08

31edf066-20fc-44e5-bde8-f6b39da46777

NeCTAR Debian 7 (Wheezy) amd64

68

2018-02-07

2a220f28-71fd-4a40-8342-7ed7177bd8d0

NeCTAR Debian 8 (Jessie) amd64

61

2018-02-08

8cdf754b-50a7-4845-b42c-863c52abea1b

NeCTAR Debian 9 (Stretch) amd64

17

2018-02-08

0081a397-e2e8-4342-8494-08414627fc1f

NeCTAR Fedora 26 x86_64

3

2018-02-08

4f3ea186-8b91-4a21-9df9-1d8bf0175a60

NeCTAR Scientific Linux 6 x86_64

48

2018-02-20

124ac81e-1878-4282-be0c-55f46c67a6d0

NeCTAR Ubuntu 14.04 (Trusty) amd64

93

2018-02-27

f82012f7-5042-48aa-81c2-a59684840c23

NeCTAR Ubuntu 16.04 LTS (Xenial) amd64

30

2018-02-27

d6929048-3a81-4bf7-b5ef-d69bd67219ba

NeCTAR Ubuntu 17.10 (Artful) amd64

5

2018-02-27

b7a491e6-1e6f-46d6-8593-fa0b88efd614

NeCTAR openSUSE Leap 42.3 x86_64

5

2018-02-07


 

For existing virtual machines, you should ensure your packages are up to date to include the mitigations and reboot to use the updated kernel.


Hypervisor updates

Host kernel updates and CPU microcode updates (which will be required on Intel hosts) will likely be disruptive to end-users. Nectar Nodes will plan these outages and communicate impact to users.




<< Previous announcements on this topic below>>



4th January 2018


In the last day or so two related security vulnerabilities, Meltdown and Spectre, have been in news headlines.  These vulnerabilities potentially allow another process on the same host as your process to view your in-memory data.


Nectar End User Impact
End User VM’s may need to be rebooted after patches to the hypervisor Operating System have been applied.  Further notice will be given if and when reboots are being scheduled.


Detail

Nectar Core Services is aware of the issues raised by these vulnerabilities and is working with Nectar Sites in preparing to take remedial actions as necessary, and to apply security patches as they become available from vendors and the software community.


The Meltdown vulnerability only affects Intel based processors, the Nectar compute resource is made up of a mixture of Intel and AMD cpu resources.  Responding to Meltdown is straightforward but will be disruptive.  Reboots of Intel based parts of the Nectar cloud will be necessary which will consequently require some user VMs being rebooted.  We will provide advance notification for any reboots.


Responses to the Spectre vulnerability are still in development internationally. Nectar will implement mitigation strategies and patches as and when they become available.

All Cloud providers are dealing with these vulnerabilities presently - announcements and responses by Public Cloud providers are available at:

AWS (Amazon)

Azure (Microsoft)

Google

DigitalOcean




1 person likes this
Login to post a comment