Want more timely Centmin Mod News Updates?
Become a Member

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More from Phoronix
    some more interesting findings
    For VM testing

    For Xeon Gold 6138 VM system looks like compilation speed only has a minor hit for apache, kernel but performance of postgresql and redis took a much bigger hit with the updated fix Kernel's with KPTI enabled. But impact wasn't as bad on Intel Xeon E3-1280v5 for cpu benchmarks - in some cases no change in performance but stuff like Redis were still impacted.

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    A Simple Explanation of the Differences Between Meltdown and Spectre

     
  3. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    For Android users Intel, ARM and AMD processors all impacted by new Meltdown and Spectre exploits, Google issuing patches

    hmm January 2017 patch for Android seems long away for my devices. My Samsung Galaxy S7 with Android 7.0 via official OTA is still on October 2017 patch and my Samsung Galaxy Tab S 8.4 was only recently flashed to LineageOS 14 with Android 7.1.2 with November 2017 patch.
     
  4. Matt

    Matt Well-Known Member

    932
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    12:50 AM
    1.5.15
    MariaDB 10.2
    Thanks for all these updates @eva2000 (y)
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Firefox Mitigations landing for new class of timing attack
    Yeah trying to keep on top of the developments as they come as they can have far reaching consequences for us all whether it's web servers, desktop or mobile/tablet devices etc and on IoT ?. :eek:
     
  6. Matt

    Matt Well-Known Member

    932
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    12:50 AM
    1.5.15
    MariaDB 10.2
    Upcloud notification on the situation
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    2:50 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    But from my understanding that's not a remote code execution so a user must have access to the server to be able to perform such attacks correct?
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yes but in context of Virtualization a VPS node (server that is divided into many VPS) contains many VPS guest servers (users) so KVM VPS can potentially breach the VPS node itself and other VPS on server I think.
     
  9. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    12:50 AM
    1.9.x
    10.1.x
  10. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More drastic resolution suggested = replace cpus hehe

    Vulnerability Note VU#584653 - CPU hardware vulnerable to side-channel attacks

     
  11. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  12. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More Kernel patches/updates to come (Retpoline) to combat Spectre attacks which further reduce and impact performance More Linux Kernel & GCC Patches Come Out In The Wake Of Spectre+Meltdown - Phoronix
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Apparently Google discovered the flaws last year and there was a planned news announcement on Jan 9th, 2018 but it was leaked earlier than planned Google’s Project Zero team discovered critical CPU flaw last year
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    some database performance impact for Kernel KPTI updates with Intel PCID based cpus Andrew Hutchings on Twitter
    maybe referring to the PostgreSQL benchmarks done already ?
     
  15. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    1:50 AM
  16. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    2:50 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    If there is no way to remote code execution (for example using a replay attack so the site will try to exute that code) then the biggest issue for shared hosting or for setups with different users if i got it right :)
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,527
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    10:50 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    first of kernel related yum updates is out now for CentOS 7 at least
    Code (Text):
    yum list updates -q | tr -s ' '
    Updated Packages
    kernel.x86_64 3.10.0-693.11.6.el7 updates
    kernel-devel.x86_64 3.10.0-693.11.6.el7 updates
    kernel-headers.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools-libs.x86_64 3.10.0-693.11.6.el7 updates
    linux-firmware.noarch 20170606-57.gitc990aae.el7 updates
    microcode_ctl.x86_64 2:2.1-22.2.el7 updates
    python-perf.x86_64 3.10.0-693.11.6.el7 updates
    

    to update
    Code (Text):
    yum -y update
    

    remember to reboot server after kernel update
    Code (Text):
    uname -r
    3.10.0-693.11.6.el7.x86_64
    
     
  18. Matt

    Matt Well-Known Member

    932
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    12:50 AM
    1.5.15
    MariaDB 10.2
    One of my Upcloud servers is also reporting the updated IWL packages
    Code:
    [root@host ~]# yum list updates -q | tr -s ' '
    Updated Packages
    iwl100-firmware.noarch 39.31.5.1-57.el7 updates
    iwl1000-firmware.noarch 1:39.31.5.1-57.el7 updates
    iwl105-firmware.noarch 18.168.6.1-57.el7 updates
    iwl135-firmware.noarch 18.168.6.1-57.el7 updates
    iwl2000-firmware.noarch 18.168.6.1-57.el7 updates
    iwl2030-firmware.noarch 18.168.6.1-57.el7 updates
    iwl3160-firmware.noarch 22.0.7.0-57.el7 updates
    iwl3945-firmware.noarch 15.32.2.9-57.el7 updates
    iwl4965-firmware.noarch 228.61.2.24-57.el7 updates
    iwl5000-firmware.noarch 8.83.5.1_1-57.el7 updates
    iwl5150-firmware.noarch 8.24.2.2-57.el7 updates
    iwl6000-firmware.noarch 9.221.4.1-57.el7 updates
    iwl6000g2a-firmware.noarch 17.168.5.3-57.el7 updates
    iwl6000g2b-firmware.noarch 17.168.5.2-57.el7 updates
    iwl6050-firmware.noarch 41.28.5.1-57.el7 updates
    iwl7260-firmware.noarch 22.0.7.0-57.el7 updates
    kernel.x86_64 3.10.0-693.11.6.el7 updates
    kernel-headers.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools-libs.x86_64 3.10.0-693.11.6.el7 updates
    linux-firmware.noarch 20170606-57.gitc990aae.el7 updates
    microcode_ctl.x86_64 2:2.1-22.2.el7 updates
    python-perf.x86_64 3.10.0-693.11.6.el7 updates
    
    Kernel/Firmware/Microcode Updates for CentOS 7
     
  19. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    1:50 AM
    Jup Red Hat is one of the first.
    Seems as Red Hat added some extra code (outside upstream) to prevent Spektre attacks.

     
  20. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    8:50 AM
    Mainline
    10.2
    Updated my servers.
    OVH NVMe based server takes 4 minutes to reboot.
    SYS server takes 2 minutes to reboot.