Welcome to Centmin Mod Community
Register Now

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Meltdown & Spectre: Analyzing Performance Impacts on Intel's NUC7i7BNH

     
  2. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  3. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Bad Microsoft Meltdown Patch Made Some Windows Systems Less Secure

     
  4. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    More Windows Server vs. Linux Benchmark Tests With Spectre/Meltdown Mitigations - Phoronix

     
  5. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    As some folks have guessed, some Intel cpus can not be fixed for Spectre v2 vulnerability and some cpus Intel won't be fixing for Meltdown either Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixed

    upload_2018-4-4_16-8-8.png
    upload_2018-4-4_16-8-43.png
    upload_2018-4-4_16-9-19.png
    upload_2018-4-4_16-9-38.png
     
  6. bassie

    bassie Active Member

    905
    216
    43
    Apr 29, 2016
    Ratings:
    +639
    Local Time:
    3:59 AM
    In short, customer. F*** you.
    Providing a solution is always possible.
    Hiding behind the fact that there is no more 'release ecosystem cycle support' or that customers didn't submit feedback.
    Is a badly conceived reason.
     
  7. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Well AMD's turn for patch releases AMD Rolls Out Spectre Fixes for cpus only dating back to 2011

     
  8. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Microsoft Issues More Spectre Updates For Intel CPUs

     
  9. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    wow a possible 8 new Spectre bugs found in Intel cpus r/Amd - Eight new Spectre Bugs found in Intel CPU's :eek: They're testing if AMD cpus are vulnerable or not. They're naming them Spectre Next Generation / Spectre-NG.
     
  10. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yup 8 new Spectre-NG vulnerabilities
    Eight new Spectre Variant Vulnerabilities for Intel Discovered - four of them critical
    hmm VPS servers would thus be vulnerable !
     
  11. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Are us shared/VPS cloud hosting users screwed ? Intel Has to Delay Patches for new Spectre-NG Vulnerabilities

     
  12. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Second wave of Spectre-like CPU security flaws won't be fixed for a while

    Looks like we may see more Spectre like vulnerabilities found as security researchers are now focusing on looking for them !
     
  13. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    AMD EPYC cpus might not be affected by new class of Spectre security vulnerabilities called Spectre-NG AMD is reportedly unaffected by Spectre NG - Great news for EPYC

     
  14. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    wow this is never ending Microsoft, Google: We've found a fourth variant of Meltdown-Spectre CPU holes ! Red Hat has published an extensive rundown of the bug, here. Fix needs both kernel update and microcode/bios updates and a system power off/restart.

    CVE-2018-3639 - Red Hat Customer Portal

    Kernel Side-Channel Attack using Speculative Store Bypass - CVE-2018-3639 - Red Hat Customer Portal

    Fix needs both kernel update and microcode/bios updates and a system power off/restart.
    Intel has outlined Spectre variant 4 and 3a on their site at INTEL-SA-00115

    OVH's response OVH - Spectre Variant 4 and 3a disclosure - OVH Blog

     
  15. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Researchers disclose new Spectre exploit variant, but Intel and AMD leave mitigation off by default

     
  16. bassie

    bassie Active Member

    905
    216
    43
    Apr 29, 2016
    Ratings:
    +639
    Local Time:
    3:59 AM
    Already been fixed at the latest EL 6 and EL 7 kernel.

    Example:

     
    • Informative Informative x 1
  17. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Ah i just got a kernel update too on CentOS 7 for kernel-3.10.0-862.3.2.el7. So folks need to do a server reboot after kernel update ;) But these fixes are disabled by default !
    Code (Text):
    rpm -q --changelog kernel-3.10.0-862.3.2.el7 | head -n25
    * Mon May 21 2018 CentOS Sources <[email protected]> - 3.10.0-862.3.2.el7
    - Apply debranding changes
    
    * Tue May 15 2018 Rado Vrbovsky <[email protected]> [3.10.0-862.3.2.el7]
    - [x86] spec_ctrl: Fix late microcode problem with AMD (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] entry: Add missing "$" in IBRS macros (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] spec_ctrl: Clean up entry code & remove unused APIs (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] spec_ctrl: Mask off SPEC_CTRL MSR bits that are managed by kernel (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] spec_ctrl: add support for SSBD to RHEL IBRS entry/exit macros (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [fs] proc: Use CamelCase for SSBD (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] bugs: Rename _RDS to _SSBD (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [kernel] seccomp: Enable speculation flaw mitigations (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [fs] proc: Provide details on speculation flaw mitigations (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] nospec: Allow getting/setting on non-current task (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] speculation: Add prctl for Speculative Store Bypass mitigation (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] process: Allow runtime control of Speculative Store Bypass (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [uapi] prctl: Add speculation control prctls (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] kvm/vmx: Expose SPEC_CTRL Bit(2) to the guest (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] bugs/amd: Add support to disable RDS on Fam[15, 16, 17]h if requested (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] spec_ctrl: Sync up RDS setting with IBRS code (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] bugs: Provide boot parameters for the spec_store_bypass_disable mitigation (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] bugs: Expose /sys/../spec_store_bypass (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] bugs: Read SPEC_CTRL MSR during boot and re-use (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] spec_ctrl: Use separate PCP variables for IBRS entry and exit (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    - [x86] cpufeatures: Make CPU bugs sticky (Waiman Long) [1566904 1566905] {CVE-2018-3639}
    
     
  18. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    But as per Red Hat Customer Portal kernel update is not enough, microcode / bios updates needed too

     
  19. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Linux 4.9, 4.14, 4.16 Point Releases Bring SSBD For Spectre V4 - Phoronix

    Spectre Variants 3A & 4 Exposed As Latest Speculative Execution Vulnerabilities - Phoronix

    And benchmarks An Initial Look At Spectre V4 "Speculative Store Bypass" With AMD On Linux - Phoronix

    Benchmarks on the Ryzen 7 2700X, Ryzen 3 2200G, and EPYC 7601 when using a Linux 4.17 Git kernel look good with no real performance impact. Will need to see how Intel fairs after their bios/microcode updates
     
  20. eva2000

    eva2000 Administrator Staff Member

    35,618
    7,844
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,092
    Local Time:
    11:59 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Linode response to Spectre 3a and 4 variants Spectre Variants 3a and 4 (Spectre-NG) and Linode: What you need to know

     
..