Learn about Centmin Mod LEMP Stack today
Become a Member

Security Intel Processor Flaw 'kernel memory leaking' [Spectre & Meltdown]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 3, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    More from Phoronix
    some more interesting findings
    For VM testing

    For Xeon Gold 6138 VM system looks like compilation speed only has a minor hit for apache, kernel but performance of postgresql and redis took a much bigger hit with the updated fix Kernel's with KPTI enabled. But impact wasn't as bad on Intel Xeon E3-1280v5 for cpu benchmarks - in some cases no change in performance but stuff like Redis were still impacted.
     
  2. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    A Simple Explanation of the Differences Between Meltdown and Spectre

     
  3. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    For Android users Intel, ARM and AMD processors all impacted by new Meltdown and Spectre exploits, Google issuing patches

    hmm January 2017 patch for Android seems long away for my devices. My Samsung Galaxy S7 with Android 7.0 via official OTA is still on October 2017 patch and my Samsung Galaxy Tab S 8.4 was only recently flashed to LineageOS 14 with Android 7.1.2 with November 2017 patch.
     
  4. Matt

    Matt Moderator Staff Member

    756
    341
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +507
    Local Time:
    4:05 AM
    1.7.1
    MariaDB 10
    Thanks for all these updates @eva2000 (y)
     
    • Like Like x 2
  5. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    Firefox Mitigations landing for new class of timing attack
    Yeah trying to keep on top of the developments as they come as they can have far reaching consequences for us all whether it's web servers, desktop or mobile/tablet devices etc and on IoT ?. :eek:
     
    • Like Like x 1
  6. Matt

    Matt Moderator Staff Member

    756
    341
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +507
    Local Time:
    4:05 AM
    1.7.1
    MariaDB 10
    Upcloud notification on the situation
     
    • Like Like x 1
    • Informative Informative x 1
  7. pamamolf

    pamamolf Well-Known Member

    3,099
    294
    83
    May 31, 2014
    Ratings:
    +527
    Local Time:
    6:05 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    But from my understanding that's not a remote code execution so a user must have access to the server to be able to perform such attacks correct?
     
  8. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yes but in context of Virtualization a VPS node (server that is divided into many VPS) contains many VPS guest servers (users) so KVM VPS can potentially breach the VPS node itself and other VPS on server I think.
     
    • Agree Agree x 1
  9. Revenge

    Revenge Active Member

    393
    84
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +295
    Local Time:
    4:05 AM
    1.9.x
    10.1.x
    • Informative Informative x 1
  10. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    More drastic resolution suggested = replace cpus hehe

    Vulnerability Note VU#584653 - CPU hardware vulnerable to side-channel attacks

     
  11. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
  12. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    More Kernel patches/updates to come (Retpoline) to combat Spectre attacks which further reduce and impact performance More Linux Kernel & GCC Patches Come Out In The Wake Of Spectre+Meltdown - Phoronix
     
  13. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    Apparently Google discovered the flaws last year and there was a planned news announcement on Jan 9th, 2018 but it was leaked earlier than planned Google’s Project Zero team discovered critical CPU flaw last year
     
  14. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    some database performance impact for Kernel KPTI updates with Intel PCID based cpus Andrew Hutchings on Twitter
    maybe referring to the PostgreSQL benchmarks done already ?
     
  15. bassie

    bassie Active Member

    835
    192
    43
    Apr 29, 2016
    Ratings:
    +587
    Local Time:
    5:05 AM
  16. pamamolf

    pamamolf Well-Known Member

    3,099
    294
    83
    May 31, 2014
    Ratings:
    +527
    Local Time:
    6:05 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    If there is no way to remote code execution (for example using a replay attack so the site will try to exute that code) then the biggest issue for shared hosting or for setups with different users if i got it right :)
     
  17. eva2000

    eva2000 Administrator Staff Member

    34,276
    7,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,668
    Local Time:
    1:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    first of kernel related yum updates is out now for CentOS 7 at least
    Code (Text):
    yum list updates -q | tr -s ' '
    Updated Packages
    kernel.x86_64 3.10.0-693.11.6.el7 updates
    kernel-devel.x86_64 3.10.0-693.11.6.el7 updates
    kernel-headers.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools-libs.x86_64 3.10.0-693.11.6.el7 updates
    linux-firmware.noarch 20170606-57.gitc990aae.el7 updates
    microcode_ctl.x86_64 2:2.1-22.2.el7 updates
    python-perf.x86_64 3.10.0-693.11.6.el7 updates
    

    to update
    Code (Text):
    yum -y update
    

    remember to reboot server after kernel update
    Code (Text):
    uname -r
    3.10.0-693.11.6.el7.x86_64
    
     
    • Informative Informative x 2
  18. Matt

    Matt Moderator Staff Member

    756
    341
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +507
    Local Time:
    4:05 AM
    1.7.1
    MariaDB 10
    One of my Upcloud servers is also reporting the updated IWL packages
    Code:
    [[email protected] ~]# yum list updates -q | tr -s ' '
    Updated Packages
    iwl100-firmware.noarch 39.31.5.1-57.el7 updates
    iwl1000-firmware.noarch 1:39.31.5.1-57.el7 updates
    iwl105-firmware.noarch 18.168.6.1-57.el7 updates
    iwl135-firmware.noarch 18.168.6.1-57.el7 updates
    iwl2000-firmware.noarch 18.168.6.1-57.el7 updates
    iwl2030-firmware.noarch 18.168.6.1-57.el7 updates
    iwl3160-firmware.noarch 22.0.7.0-57.el7 updates
    iwl3945-firmware.noarch 15.32.2.9-57.el7 updates
    iwl4965-firmware.noarch 228.61.2.24-57.el7 updates
    iwl5000-firmware.noarch 8.83.5.1_1-57.el7 updates
    iwl5150-firmware.noarch 8.24.2.2-57.el7 updates
    iwl6000-firmware.noarch 9.221.4.1-57.el7 updates
    iwl6000g2a-firmware.noarch 17.168.5.3-57.el7 updates
    iwl6000g2b-firmware.noarch 17.168.5.2-57.el7 updates
    iwl6050-firmware.noarch 41.28.5.1-57.el7 updates
    iwl7260-firmware.noarch 22.0.7.0-57.el7 updates
    kernel.x86_64 3.10.0-693.11.6.el7 updates
    kernel-headers.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools.x86_64 3.10.0-693.11.6.el7 updates
    kernel-tools-libs.x86_64 3.10.0-693.11.6.el7 updates
    linux-firmware.noarch 20170606-57.gitc990aae.el7 updates
    microcode_ctl.x86_64 2:2.1-22.2.el7 updates
    python-perf.x86_64 3.10.0-693.11.6.el7 updates
    
    Kernel/Firmware/Microcode Updates for CentOS 7
     
    • Informative Informative x 1
  19. bassie

    bassie Active Member

    835
    192
    43
    Apr 29, 2016
    Ratings:
    +587
    Local Time:
    5:05 AM
    Jup Red Hat is one of the first.
    Seems as Red Hat added some extra code (outside upstream) to prevent Spektre attacks.

     
    • Informative Informative x 1
  20. RoldanLT

    RoldanLT Premium Member Premium Member

    4,184
    1,013
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,435
    Local Time:
    11:05 AM
    1.11
    10.2
    Updated my servers.
    OVH NVMe based server takes 4 minutes to reboot.
    SYS server takes 2 minutes to reboot.
     
..