[cf-dev] USN-3522-2: Linux (Xenial HWE) vulnerability

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] USN-3522-2: Linux (Xenial HWE) vulnerability

Molly Crowther

USN-3522-2: Linux (Xenial HWE) vulnerability

Severity

Critical

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04

Description

USN-3522-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5754)

Please Note: These stemcells address the critical vulnerability in Ubuntu associated with Meltdown. This update may include degradations to performance. The Cloud Foundry Project will be performing additional performance testing and will make updates to this notice as more information is available.

Affected Cloud Foundry Products and Versions

Severity is critical unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • 3312.x versions prior to 3312.49
    • 3363.x versions prior to 3363.45
    • 3421.x versions prior to 3421.35
    • 3445.x versions prior to 3445.21
    • 3468.x versions prior to 3468.16
    • All other stemcells not listed.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • The Cloud Foundry project recommends upgrading the following BOSH stemcells:
    • Upgrade 3312.x versions to 3312.49
    • Upgrade 3363.x versions to 3363.45
    • Upgrade 3421.x versions to 3421.35
    • Upgrade 3445.x versions to 3445.21
    • Upgrade 3468.x versions to 3468.16
    • All other stemcells should be upgraded to the latest version available on bosh.io.

References

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#7644) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Change Your Subscription
Group Home
[hidden email]
Terms Of Service
Unsubscribe From This Group

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] USN-3522-2: Linux (Xenial HWE) vulnerability

Carlo Alberto Ferraris-2
Are there plans to allow operators to boot with nopti/pti=off?
_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#7666) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Change Your Subscription
Group Home
[hidden email]
Terms Of Service
Unsubscribe From This Group

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] USN-3522-2: Linux (Xenial HWE) vulnerability

Marco Voelz

+Dmitriy

 

We talked about this possibility recently, right?

 

From: <[hidden email]> on behalf of Carlo Alberto Ferraris <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>
Date: Wednesday, 17. January 2018 at 06:28
To: "[hidden email]" <[hidden email]>
Subject: Re: [cf-dev] USN-3522-2: Linux (Xenial HWE) vulnerability

 

Are there plans to allow operators to boot with nopti/pti=off?

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#7672) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Change Your Subscription
Group Home
[hidden email]
Terms Of Service
Unsubscribe From This Group

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] USN-3522-2: Linux (Xenial HWE) vulnerability

Dmitriy Kalinin
In reply to this post by Carlo Alberto Ferraris-2
Are there plans to allow operators to boot with nopti/pti=off?

idea floated around. it could be implemented similarly to how ipv6 is dynamic enabled by the agent. is this something that you all determined you need? 

i dont believe we have observed significant performance difference with currently provided updates. but i might be out of date on findings.

On Thu, Jan 18, 2018 at 11:11 AM, Voelz, Marco <[hidden email]> wrote:

+Dmitriy

 

We talked about this possibility recently, right?

 

From: <[hidden email]> on behalf of Carlo Alberto Ferraris <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>
Date: Wednesday, 17. January 2018 at 06:28
To: "[hidden email]" <[hidden email]>
Subject: Re: [cf-dev] USN-3522-2: Linux (Xenial HWE) vulnerability

 

Are there plans to allow operators to boot with nopti/pti=off?


_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#7673) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Change Your Subscription
Group Home
[hidden email]
Terms Of Service
Unsubscribe From This Group

_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] USN-3522-2: Linux (Xenial HWE) vulnerability

Carlo Alberto Ferraris-2
Dmitriy,

> is this something that you all determined you need? 

We have confirmed with our IaaS provider that they believe guests to be not affected, as such disabling PTI would seem like a good way to avoid the associated performance impact.
_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#7675) | [hidden email] | [hidden email] | Mute This Topic | New Topic

Change Your Subscription
Group Home
[hidden email]
Terms Of Service
Unsubscribe From This Group

_._,_._,_