Spectre & Meltdown

Spectre and Meltdown are names that have been coined to cover a family of vulnerabilities that manifest themselves in design flaws (or backdoors) within the CPU architecture. It effects Linux and Windows alike, and everything else pretty much. Unfortunately, there is no fix on a microcode level, so the fix will be implemented within the code of the operating system. Disclosures are MITRE CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754. A proper explanation from actually smart people can be found here https://spectreattack.com/

Since the initial OMG Intel, and OMG Linux – the implications are essential to expect a slow down in performance, and that this now involves AMD and ARM. As such the reach of this is now down into the likes of your Phone, router, wireless APs, IP phones, IoT devices, and so the list goes on… so yeah, this sucks. Happy. New. Year.

Having looked around for updates on this as of 11am Thursday 4th of Jan – the following appears to be the state of play for the following OS’s. Sure, there are ones missing – but these are the ones that are primarily my concern… so here is the state of play right now*.

Ubuntu
Not there yet.
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

CentOS
RHEL has released kernel-2.6.32-696.18.7.el6.x86_64.rpm late last night, they are recompiling debranding and testing today.
https://www.centos.org/forums/viewtopic.php?f=17&t=65591&p=275737&hilit=spectre#p275737

CloudLinux
They are in testing prior to release.
https://www.cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux

OnApp & Xen
Based on CentOS kernel –
https://docs.onapp.com/display/RN/Meltdown+and+Spectre+CPU+Issues
Advisory –
https://onapp.com/2018/01/04/meltdown-spectre-x86-x64-architecture-bug-what-you-need-to-know/

Virtuozzo
Again based on CentOS
https://virtuozzo.com/virtuozzo-addresses-intel-bug-questions/

*This will rapidly change as the day progresses – however, as with most of my posts this is as much an aide memoir and note as a public resource.

One Response to “Spectre & Meltdown

  • [Update at 1354 GMT]

    CloudLinux has updated to say they are within 3 hours of posting that to the repository for a yum update and reboot.

    If they have turned around the RHEL source that quickly – I should imagine the CentOS community will be hot on their heals… and following that, everyone else.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar