Join the community today
Register Now

Security August 2018: Kernel Security Update: L1TF - L1 Terminal Fault Attack CVE-2018-3620 & CVE-2018-3646

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Aug 15, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Redhat and CentOS Linux Kernel and microcode security updates are coming out for L1TF - L1 Terminal Fault Attack CVE-2018-3620 & CVE-2018-3646. Second post below has performance impact for the Kernel/microcode updates and other outlined mitigation suggestions.

    All Linux users including Centmin Mod users will need to update their Linux kernels for L1TF attack vulnerability fix. This is only part of the fix especially for VPS users as bios/microcode updates at your VPS provider host node level also are required which may require server reboots at both web host and your end.

    Yum Updates For CVE-2018-3620 & CVE-2018-3646



    Keep an eye on updates to L1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646 - Red Hat Customer Portal for news of Redhat/CentOS 6/7 Linux Kernel updates which you would find listing Kernel updates if available via command
    Code (Text):
    yum clean all
    yum list updates
    

    To update kernel if listed and answer yes = y when prompted
    Code (Text):
    yum update
    

    You will need to reboot server after Kernel updates are made. According to Redhat if you're on VPS, VPS host nodes will need to be restarted by web host too
    Example of listed updates for CentOS 7 64bit Red Hat Customer Portal
    Code (Text):
    yum list updates -q
    Updated                   Packages
    kernel.x86_64             3.10.0-862.11.6.el7  updates
    kernel-devel.x86_64       3.10.0-862.11.6.el7  updates
    kernel-headers.x86_64     3.10.0-862.11.6.el7  updates
    kernel-tools.x86_64       3.10.0-862.11.6.el7  updates
    kernel-tools-libs.x86_64  3.10.0-862.11.6.el7  updates
    perf.x86_64               3.10.0-862.11.6.el7  updates
    python-perf.x86_64        3.10.0-862.11.6.el7  updates
    

    Example of listed updates for CentOS 6 64bit Red Hat Customer Portal
    Code (Text):
    yum list updates -q
    Updated                 Packages
    kernel.x86_64           2.6.32-754.3.5.el6  updates
    kernel-devel.x86_64     2.6.32-754.3.5.el6  updates
    kernel-firmware.noarch  2.6.32-754.3.5.el6  updates
    kernel-headers.x86_64   2.6.32-754.3.5.el6  updates
    

    For Linode VPS users on custom Linode 4.1* Kernels, there's an updated Kernel = 4.17.15-x86_64-linode115 for this which also requires a server reboot.

    Once you have updated your Linux Kernels as per 1st post instructions (only applies to non-OpenVZ systems like Xen/KVM/dedicated) and have rebooted server, you will have access to /sys system level verification of type of Spectre/Meltdown class Kernel fixes that are in place on your server - including L1TF via
    /sys/devices/system/cpu/vulnerabilities/l1tf. Which you can see via cat command the contents of
    /sys/devices/system/cpu/vulnerabilities/l1tf
    Code (Text):
    cat /sys/devices/system/cpu/vulnerabilities/l1tf
    

    There are others for meltdown, spectre v1/v2 and speculative store bypass too. Note Speculative store bypass security fix is disabled by default as vulnerability requires local user access first and lets end users determine if their usage scenarios require the fix to be enabled as it has up to 8% performance impact when enabled.
    Code (Text):
    ls -lah /sys/devices/system/cpu/vulnerabilities/
    total 0
    drwxr-xr-x 2 root root    0 Aug 17 00:26 .
    drwxr-xr-x 9 root root    0 Aug 17 00:26 ..
    -r--r--r-- 1 root root 4.0K Aug 17 00:26 l1tf
    -r--r--r-- 1 root root 4.0K Aug 17 00:26 meltdown
    -r--r--r-- 1 root root 4.0K Aug 17 00:26 spec_store_bypass
    -r--r--r-- 1 root root 4.0K Aug 17 00:26 spectre_v1
    

    On updated Linux Kernel systems you can use this command to use cat command to spit out the contents of each of these files located in /sys/devices/system/cpu/vulnerabilities/
    Code (Text):
    find /sys/devices/system/cpu/vulnerabilities/ -mindepth 1 -type f | while read f; do echo -e "\n$f"; cat $f; done
    

    Below are example outputs from this command for updated Linode custom kernel, CentOS 7 and 6 default distro provided kernels.

    Linode


    Code (Text):
    uname -r
    4.17.15-x86_64-linode115
    

    Code (Text):
    find /sys/devices/system/cpu/vulnerabilities/ -mindepth 1 -type f | while read f; do echo -e "\n$f"; cat $f; done
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v2
    Mitigation: Full generic retpoline
    
    /sys/devices/system/cpu/vulnerabilities/l1tf
    Mitigation: PTE Inversion
    
    /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
    Vulnerable
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v1
    Mitigation: __user pointer sanitization
    
    /sys/devices/system/cpu/vulnerabilities/meltdown
    Mitigation: PTI
    

    CentOS 7


    Code (Text):
    uname -r
    3.10.0-862.11.6.el7.x86_64
    

    Code (Text):
    find /sys/devices/system/cpu/vulnerabilities/ -mindepth 1 -type f | while read f; do echo -e "\n$f"; cat $f; done
    
    /sys/devices/system/cpu/vulnerabilities/l1tf
    Mitigation: PTE Inversion
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v1
    Mitigation: Load fences, __user pointer sanitization
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v2
    Vulnerable: Retpoline without IBPB
    
    /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
    Vulnerable
    
    /sys/devices/system/cpu/vulnerabilities/meltdown
    Mitigation: PTI
    

    CentOS 6


    Code (Text):
    uname -r
    2.6.32-754.3.5.el6.x86_64
    

    Code (Text):
    find /sys/devices/system/cpu/vulnerabilities/ -mindepth 1 -type f | while read f; do echo -e "\n$f"; cat $f; done
    
    /sys/devices/system/cpu/vulnerabilities/meltdown
    Mitigation: PTI
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v1
    Mitigation: Load fences
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v2
    Mitigation: Full retpoline
    
    /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
    Vulnerable
    
    /sys/devices/system/cpu/vulnerabilities/l1tf
    Mitigation: PTE Inversion
    

    For OpenVZ VPS systems, they use Host node level Kernel so your web host needs to update host node level Kernel as you have no control over updating Kernels.

    L1TF detection script



    L1TF detection script from L1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646 - Red Hat Customer Portal. Actual script https://access.redhat.com/sites/default/files/cve-2018-3620--2018-08-14-1255.sh

    On L1TF vulnerable system
    Code (Text):
    ./cve-2018-3620--2018-08-14-1255.sh
    
    CVE-2018-3620 Detection Script Ver. 1.2
    This script is primarily designed to detect CVE-2018-3620 on supported
    Red Hat Enterprise Linux systems and kernel packages.
    Result may be inaccurate for other RPM based systems.
    
    CPU vendor: Intel
    Running kernel: 3.10.0-862.3.3.el7.x86_64
    Virtualization: None
    SMT status: On
    
    This system is vulnerable for the following reasons:
    * Kernel is not updated
    * Mitigation is not active
    
    Red Hat recommends that you:
    * Update your kernel and reboot the system.
    * Optionally ask your HW vendor for CPU microcode update if available.
    
    Note about microcode update
    Customers desiring performance improvement will need to ask their HW vendor for CPU microcode update
    in order to use the mitigation implemented in the microcode.
    
    Note about Hyper-Threading (SMT)
    Customers desiring to completely mitigate this issue will need to consider disabling SMT.
    For details how to disable SMT see:
    https://access.redhat.com/solutions/352663
    
    For more information about the vulnerability see:
    https://access.redhat.com/security/vulnerabilities/l1tf
    
    For more information about possible performance impact see:
    https://access.redhat.com/security/vulnerabilities/l1tf-perf


    On L1TF Kernel updated + rebooted system
    Code (Text):
    ./cve-2018-3620--2018-08-14-1255.sh
    
    CVE-2018-3620 Detection Script Ver. 1.2
    This script is primarily designed to detect CVE-2018-3620 on supported
    Red Hat Enterprise Linux systems and kernel packages.
    Result may be inaccurate for other RPM based systems.
    
    CPU vendor: Intel
    Running kernel: 3.10.0-862.11.6.el7.x86_64
    Virtualization: kvm
    SMT status: Off
    Mitigation: Mitigation: PTE Inversion
    
    This system is not vulnerable, because it has correct mitigation applied.
    
    Note about microcode update
    Customers desiring performance improvement will need to ask their HW vendor for CPU microcode update
    in order to use the mitigation implemented in the microcode.
    
    Note about virtualization
    CVE-2018-3646 is the CVE identifier assigned to the virtualization escape aspect of the
    flaw. In virtualized environment, there are more steps to mitigate the issue, including:
    * Host needs to have updated kernel and CPU microcode
    * Host needs to have updated virtualization software
    * Guest needs to have updated kernel
    * Hypervisor needs to propagate new CPU features correctly
    For more details about mitigations in virtualized environment see the vulnerability article.
    
    For more information about the vulnerability see:
    https://access.redhat.com/security/vulnerabilities/l1tf
    
    For more information about possible performance impact see:
    https://access.redhat.com/security/vulnerabilities/l1tf-perf


    L1TF - L1 Terminal Fault Attack CVE-2018-3620 & CVE-2018-3646 Information



    More info
    Indeed a hot mess.. if there's any reason to force me off Cloud VPS onto bare metal dedicated hosting, this would probably be it.

     
    Last edited: Aug 17, 2018
  2. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    From Impact tab L1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646 - Red Hat Customer Portal

    Kernel fix has a performance impact for VPS it seems and may even need disabling hyperthreading !!!!
    From Performance considerations for L1 Terminal Fault - Red Hat Customer Portal

    Dam disabling Intel Hyperthreading would be huge impact on performance a Xeon E3-12xx with 4 core + 4 HT threads = 8 cpu threads would be reduced to just 4 cores/4 threads !
     
    Last edited: Aug 16, 2018
  3. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Foreshadow Flaw Targets Intel SGX and Virtual Machines

     
  4. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Tweet from CentOS Karanbir Singh on Twitter

     
  5. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Understanding L1 Terminal Fault aka Foreshadow: What you need to know



    and A deeper look at L1 Terminal Fault aka Foreshadow

     
    Last edited: Aug 16, 2018
  6. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    DigitalOcean twitter response DigitalOcean on Twitter

    Blog A Message about Intel’s L1TF Security Vulnerability

     
  7. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    AWS already has implemented its own protections at host level it seems. But at guest level you'd still need to do updates L1 Terminal Fault Speculative Execution Issue

     
  8. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Foreshadow: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution

     
  9. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    AMD EPYC not vulnerable AMD Processor Security | AMD

     
  10. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Early benchmark numbers for performance impact for L1TF fixes An Early Look At The L1 Terminal Fault "L1TF" Performance Impact On Virtual Machines - Phoronix

    upload_2018-8-16_10-7-4.png

    upload_2018-8-16_10-7-32.png

    upload_2018-8-16_10-8-10.png
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Google Cloud's host infrastructure has deployed mitigations for L1TF but guest OS side still needs taking care of Protecting against the new “L1TF” speculative vulnerabilities | Google Cloud Blog

    and Product Status: L1 Terminal Fault - Google Help

     
  12. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    According to Oracle and Intel a single standalone mitigation method isn't enough to protect you Intel Processor L1TF vulnerabilities: CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Linode forum has an L1TF security fix update with blog post to follow soon How is Linode handling L1TF/Foreshadow? | Linode Questions. However, there suggestion to update kernels isn't enough according to Intel here. Seems Linode has also fixed their custom kernel 4.1* issues as I tried and it worked, rebooted Linode VPS and showed the correct networking so that's good news :)

    You can check kernel version via uname -r command i.e. on Linode after reboot
    Code (Text):
    uname -r
    4.17.15-x86_64-linode115
    

    Note newer Linode VPS might had defaulted to distro provided Linux Kernels due to previous custom kernel 4.1* issues.

    Blog post is up Intel’s L1TF CPU Vulnerabilities & Linode

     
    Last edited: Aug 17, 2018
  14. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Once you have updated your Linux Kernels as per 1st post instructions (only applies to non-OpenVZ systems like Xen/KVM/dedicated) and have rebooted server, you will have access to /sys system level verification of type of Spectre/Meltdown class Kernel fixes that are in place on your server - including L1TF via
    /sys/devices/system/cpu/vulnerabilities/l1tf. Which you can see via cat command the contents of
    /sys/devices/system/cpu/vulnerabilities/l1tf
    Code (Text):
    cat /sys/devices/system/cpu/vulnerabilities/l1tf
    

    There are others for meltdown, spectre v1/v2 and speculative store bypass too. Note Speculative store bypass security fix is disabled by default as vulnerability requires local user access first and lets end users determine if their usage scenarios require the fix to be enabled as it has up to 8% performance impact when enabled.
    Code (Text):
    ls -lah /sys/devices/system/cpu/vulnerabilities/
    total 0
    drwxr-xr-x 2 root root    0 Aug 17 00:26 .
    drwxr-xr-x 9 root root    0 Aug 17 00:26 ..
    -r--r--r-- 1 root root 4.0K Aug 17 00:26 l1tf
    -r--r--r-- 1 root root 4.0K Aug 17 00:26 meltdown
    -r--r--r-- 1 root root 4.0K Aug 17 00:26 spec_store_bypass
    -r--r--r-- 1 root root 4.0K Aug 17 00:26 spectre_v1
    

    On updated Linux Kernel systems you can use this command to use cat command to spit out the contents of each of these files located in /sys/devices/system/cpu/vulnerabilities/
    Code (Text):
    find /sys/devices/system/cpu/vulnerabilities/ -mindepth 1 -type f | while read f; do echo -e "\n$f"; cat $f; done
    

    Below are example outputs from this command for updated Linode custom kernel, CentOS 7 and 6 default distro provided kernels.

    Linode


    Code (Text):
    uname -r
    4.17.15-x86_64-linode115
    

    Code (Text):
    find /sys/devices/system/cpu/vulnerabilities/ -mindepth 1 -type f | while read f; do echo -e "\n$f"; cat $f; done
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v2
    Mitigation: Full generic retpoline
    
    /sys/devices/system/cpu/vulnerabilities/l1tf
    Mitigation: PTE Inversion
    
    /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
    Vulnerable
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v1
    Mitigation: __user pointer sanitization
    
    /sys/devices/system/cpu/vulnerabilities/meltdown
    Mitigation: PTI
    

    CentOS 7


    Code (Text):
    uname -r
    3.10.0-862.11.6.el7.x86_64
    

    Code (Text):
    find /sys/devices/system/cpu/vulnerabilities/ -mindepth 1 -type f | while read f; do echo -e "\n$f"; cat $f; done
    
    /sys/devices/system/cpu/vulnerabilities/l1tf
    Mitigation: PTE Inversion
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v1
    Mitigation: Load fences, __user pointer sanitization
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v2
    Vulnerable: Retpoline without IBPB
    
    /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
    Vulnerable
    
    /sys/devices/system/cpu/vulnerabilities/meltdown
    Mitigation: PTI
    

    CentOS 6


    Code (Text):
    uname -r
    2.6.32-754.3.5.el6.x86_64
    

    Code (Text):
    find /sys/devices/system/cpu/vulnerabilities/ -mindepth 1 -type f | while read f; do echo -e "\n$f"; cat $f; done
    
    /sys/devices/system/cpu/vulnerabilities/meltdown
    Mitigation: PTI
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v1
    Mitigation: Load fences
    
    /sys/devices/system/cpu/vulnerabilities/spectre_v2
    Mitigation: Full retpoline
    
    /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
    Vulnerable
    
    /sys/devices/system/cpu/vulnerabilities/l1tf
    Mitigation: PTE Inversion
    

    For OpenVZ VPS systems, they use Host node level Kernel so your web host needs to update host node level Kernel as you have no control over updating Kernels.
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    L1TF detection script from L1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646 - Red Hat Customer Portal. Actual script https://access.redhat.com/sites/default/files/cve-2018-3620--2018-08-14-1255.sh

    On L1TF vulnerable system
    Code (Text):
    ./cve-2018-3620--2018-08-14-1255.sh
    
    CVE-2018-3620 Detection Script Ver. 1.2
    This script is primarily designed to detect CVE-2018-3620 on supported
    Red Hat Enterprise Linux systems and kernel packages.
    Result may be inaccurate for other RPM based systems.
    
    CPU vendor: Intel
    Running kernel: 3.10.0-862.3.3.el7.x86_64
    Virtualization: None
    SMT status: On
    
    This system is vulnerable for the following reasons:
    * Kernel is not updated
    * Mitigation is not active
    
    Red Hat recommends that you:
    * Update your kernel and reboot the system.
    * Optionally ask your HW vendor for CPU microcode update if available.
    
    Note about microcode update
    Customers desiring performance improvement will need to ask their HW vendor for CPU microcode update
    in order to use the mitigation implemented in the microcode.
    
    Note about Hyper-Threading (SMT)
    Customers desiring to completely mitigate this issue will need to consider disabling SMT.
    For details how to disable SMT see:
    https://access.redhat.com/solutions/352663
    
    For more information about the vulnerability see:
    https://access.redhat.com/security/vulnerabilities/l1tf
    
    For more information about possible performance impact see:
    https://access.redhat.com/security/vulnerabilities/l1tf-perf


    On L1TF Kernel updated + rebooted system
    Code (Text):
    ./cve-2018-3620--2018-08-14-1255.sh
    
    CVE-2018-3620 Detection Script Ver. 1.2
    This script is primarily designed to detect CVE-2018-3620 on supported
    Red Hat Enterprise Linux systems and kernel packages.
    Result may be inaccurate for other RPM based systems.
    
    CPU vendor: Intel
    Running kernel: 3.10.0-862.11.6.el7.x86_64
    Virtualization: kvm
    SMT status: Off
    Mitigation: Mitigation: PTE Inversion
    
    This system is not vulnerable, because it has correct mitigation applied.
    
    Note about microcode update
    Customers desiring performance improvement will need to ask their HW vendor for CPU microcode update
    in order to use the mitigation implemented in the microcode.
    
    Note about virtualization
    CVE-2018-3646 is the CVE identifier assigned to the virtualization escape aspect of the
    flaw. In virtualized environment, there are more steps to mitigate the issue, including:
    * Host needs to have updated kernel and CPU microcode
    * Host needs to have updated virtualization software
    * Guest needs to have updated kernel
    * Hypervisor needs to propagate new CPU features correctly
    For more details about mitigations in virtualized environment see the vulnerability article.
    
    For more information about the vulnerability see:
    https://access.redhat.com/security/vulnerabilities/l1tf
    
    For more information about possible performance impact see:
    https://access.redhat.com/security/vulnerabilities/l1tf-perf
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More info at L1TF - L1 Terminal Fault — The Linux Kernel documentation

    and L1TF - L1 Terminal Fault — The Linux Kernel documentation
     
    Last edited: Aug 18, 2018
  17. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yup less performance with Intel Xeon Scalable cpus and L1TF mitigation fixes in place! The Performance Hit For A Xeon-Backed Ubuntu Linux VM With L1TF / Foreshadow Patches - Phoronix

    upload_2018-8-21_3-31-38.png

    upload_2018-8-21_3-32-16.png

    upload_2018-8-21_3-33-8.png

    upload_2018-8-21_3-34-9.png

    Wow Apache took a much bigger hit in performance with L1TF fixes in place than Nginx did !

    upload_2018-8-21_3-34-38.png

    upload_2018-8-21_3-35-28.png

    upload_2018-8-21_3-36-16.png
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    From Protecting Our Customers through the Lifecycle of Security Threats | Intel Newsroom - Intel hardware level (not software) protections aren't due until next generation Intel Xeon Scalable Cascade Lake
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Intel Publishes L1TF and Foreshadow Performance Impacts

    upload_2018-8-21_8-27-30.png
    Hmm suggestion for some VPS providers turning of hyperthreading is needed !
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,363
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Depends on what you're using bare metal dedicated has less of impact. I would get kernel updated as per 1st post of this thread and server rebooted. There isn't a full fix as yet as current full fix at VPS provider level would mean disabling Hyperthreading which would cut number of cpu threads in half for Intel based servers and I don't think any VPS provider would do that. Or need to find a VPS provider with AMD EPYC cpus instead of Intel cpus.