Hetzner - DokuWiki

CPU vulnerabilities based on Spectre and Meltdown/en
Zeile 1: Zeile 1:
{{Languages|Spectre_and_Meltdown}}
+
{{Languages|CPU_vulnerabilities_based_on_Spectre_and_Meltdown}}
  
 
==Information about the vulnerabilities==
 
==Information about the vulnerabilities==
Zeile 51: Zeile 51:
 
* https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
 
* https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
 
* https://www.amd.com/en/corporate/security-updates
 
* https://www.amd.com/en/corporate/security-updates
 +
 +
===Microarchitectural Data Sampling (MDS) / ZombieLoad===
 +
 +
On May 14th, 2019, additional vulnerabilities were published, which are using speculative execution side-channel attacks to maliciously access data stored in buffers on a vulnerable system.
 +
 +
* Microarchitectural Store Buffer Data Sampling (MSBDS) ([https://security-tracker.debian.org/tracker/CVE-2018-12126 CVE-2018-12126])
 +
* Microarchitectural Load Port Data Samping (MLPDS) ([https://security-tracker.debian.org/tracker/CVE-2018-12127 CVE-2018-12127])
 +
* Microarchitectural Fill Buffer Data Sampling (MFBDS) ([https://security-tracker.debian.org/tracker/CVE-2018-12130 CVE-2018-12130])
 +
* Microarchitectural Data Sampling Uncacheable Memory (MDSUM) ([https://security-tracker.debian.org/tracker/CVE-2019-11091 CVE-2019-11091])
 +
 +
Those vulnerabilities are now known as:
 +
 +
* [https://zombieloadattack.com/ ZombieLoad Attack]
 +
 +
For further information on this topic, please check the following resources:
 +
 +
* https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
 +
** https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling
 +
** https://software.intel.com/security-software-guidance/insights/deep-dive-cpuid-enumeration-and-architectural-msrs#MDS-CPUID
 +
* https://www.amd.com/en/corporate/product-security
 +
** * https://www.amd.com/system/files/documents/security-whitepaper.pdf
 +
 +
Additionally to installing the latest Linux kernel and Microcode updates it is necessary to disable Intel® Hyper-Threading Technology to fully mitigate these vulnerabilities, as the post in the [https://blog.ubuntu.com/2019/05/14/ubuntu-updates-to-mitigate-new-microarchitectural-data-sampling-mds-vulnerabilities Ubuntu Blog] points out:
 +
<blockquote>Updated versions of the intel-microcode, qemu and linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users. As these vulnerabilities affect such a large range of Intel processors (across laptop, desktop and server machines), a large percentage of Ubuntu users are expected to be impacted – users are encouraged to install these updated packages as soon as they become available.<br/><br/>The use of Symmetric Multi-Threading (SMT) – also known as Hyper-Threading – further complicates these issues since these buffers are shared between sibling Hyper-Threads. '''Therefore, the above changes are not sufficient to mitigate these vulnerabilities when SMT is enabled. As such, the use of SMT is not recommended when untrusted code or applications are being executed.'''<br/></blockquote>
  
 
==Affected Products==
 
==Affected Products==
We are still in the process of determining all of our affected products. So far, we have been able to confirm that the following products are affected:
 
  
 
===Current Generation===
 
===Current Generation===
 
====AX-Line====
 
====AX-Line====
* affected by Variant 1, 2 & 4:
+
* only affected by Variant 1, 2 & 4:
** AX50-SSD
+
 
** AX60-SSD
 
** AX60-SSD
 +
** AX100
 
** AX160-NVMe
 
** AX160-NVMe
 
** AX160-SSD
 
** AX160-SSD
  
 
====EX-Line====
 
====EX-Line====
* EX41
+
* EX42
* EX41-SSD
+
* EX42-NVMe
* EX41S
+
* EX41S-SSD
+
* EX51
+
* EX51-SSD
+
 
* EX51-SSD-GPU
 
* EX51-SSD-GPU
* EX61
+
* EX52
* EX61-NVMe
+
* EX52-NVMe
 +
* EX62
 +
* EX62-NVMe
  
 
====PX-Line====
 
====PX-Line====
Zeile 78: Zeile 99:
 
* PX61-SSD
 
* PX61-SSD
 
* PX61-NVMe
 
* PX61-NVMe
 +
* PX62
 +
* PX62-NVMe
 
* PX92
 
* PX92
  
Zeile 84: Zeile 107:
  
 
* DX152 (R640)
 
* DX152 (R640)
 +
* DX180 (R6415) - only affected by Variant 1, 2 & 4
 
* DX292 (R640)
 
* DX292 (R640)
  
 
====SX-Line====
 
====SX-Line====
* SX61
+
* SX62
* SX131
+
* SX132
* SX291
+
* SX292
  
 
====Managed Servers====
 
====Managed Servers====
* MX90
+
* MX92
* MX90-SSD
+
* MX92-SSD
* MX121
+
* MX122-SSD
* MX120-SSD
+
* MX152-SSD
* MX151-SSD
+
  
 
====Previous Generations====
 
====Previous Generations====
Zeile 102: Zeile 125:
 
* AX20 (Cortex A15 + A7)
 
* AX20 (Cortex A15 + A7)
 
* AX30 (Cortex A15 + A7)
 
* AX30 (Cortex A15 + A7)
 +
* AX50-SSD - only affected by Variant 1, 2 & 4
 
* DX141 (Dell R530)
 
* DX141 (Dell R530)
 
* DX150 (Dell R720)
 
* DX150 (Dell R720)
Zeile 123: Zeile 147:
 
* EX40-SSD
 
* EX40-SSD
 
* EX40-Hybrid
 
* EX40-Hybrid
 +
* EX41
 +
* EX41-SSD
 +
* EX41S
 +
* EX41S-SSD
 +
* EX51
 +
* EX51-SSD
 
* EX60
 
* EX60
 +
* EX61
 +
* EX61-NVMe
 
* MQ7
 
* MQ7
 
* MQ9
 
* MQ9
 
* MQ10
 
* MQ10
 +
* MX90
 +
* MX90-SSD
 
* MX120
 
* MX120
 +
* MX120-SSD
 +
* MX121
 
* MX150-SSD
 
* MX150-SSD
 
* MX151
 
* MX151
 +
* MX151-SSD
 
* PX60
 
* PX60
 
* PX60-SSD
 
* PX60-SSD
Zeile 144: Zeile 181:
 
* PX121-SSD
 
* PX121-SSD
 
* SX60
 
* SX60
 +
* SX61
 
* SX130
 
* SX130
 +
* SX131
 
* SX290
 
* SX290
 +
* SX291
 
* XS13
 
* XS13
 
* XS29
 
* XS29
 
===Under Review===
 
The following products are still under review and may be added to the affected list if new information regarding the used CPUs of these models are published:
 
 
* DS3000
 
* DS5000
 
* DS7000
 
* DS8000
 
* DS9000
 
  
 
==Update / Upgrade Path==
 
==Update / Upgrade Path==
Zeile 170: Zeile 201:
 
===Software / Operating System===
 
===Software / Operating System===
 
Information about upcoming patches for all of our supported operating systems can be found in their specific bug tracker:
 
Information about upcoming patches for all of our supported operating systems can be found in their specific bug tracker:
 
  
 
====Debian====
 
====Debian====
 +
'''Announcement''':
 +
* https://www.debian.org/security/2019/dsa-4444
 +
 
* Security Advisory
 
* Security Advisory
** https://security-tracker.debian.org/tracker/CVE-2017-5715
+
** https://security-tracker.debian.org/tracker/CVE-2018-12126
** https://security-tracker.debian.org/tracker/CVE-2017-5753
+
** https://security-tracker.debian.org/tracker/CVE-2018-12127
** https://security-tracker.debian.org/tracker/CVE-2017-5754
+
** https://security-tracker.debian.org/tracker/CVE-2018-12130
** https://security-tracker.debian.org/tracker/CVE-2018-3639
+
** https://security-tracker.debian.org/tracker/CVE-2019-11091
** https://security-tracker.debian.org/tracker/CVE-2018-3640
+
** https://security-tracker.debian.org/tracker/CVE-2018-3665
+
** https://security-tracker.debian.org/tracker/CVE-2018-3615
+
** https://security-tracker.debian.org/tracker/CVE-2018-3620
+
** https://security-tracker.debian.org/tracker/CVE-2018-3646
+
  
 
* Microcode Update Packages
 
* Microcode Update Packages
Zeile 190: Zeile 218:
 
====Ubuntu====
 
====Ubuntu====
 
'''Announcement''':
 
'''Announcement''':
* https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
+
* https://blog.ubuntu.com/2019/05/14/ubuntu-updates-to-mitigate-new-microarchitectural-data-sampling-mds-vulnerabilities
* https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF
+
* https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
  
 
* Security Advisory
 
* Security Advisory
** https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html
+
** https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html
** https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html
+
** https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html
** https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html
+
** https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html
** https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3639.html
+
** https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11091.html
** https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3640.html
+
** https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3665.html
+
** https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3615.html
+
** https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3620.html
+
** https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-3646.html
+
  
 
* Microcode Update Packages
 
* Microcode Update Packages
Zeile 209: Zeile 232:
  
 
====RedHat / CentOS====
 
====RedHat / CentOS====
'''Announcement''': https://access.redhat.com/security/vulnerabilities/speculativeexecution
+
'''Announcement''': https://access.redhat.com/security/vulnerabilities/mds
 +
 
 
* Security Advisory
 
* Security Advisory
** https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5715
+
** https://access.redhat.com/security/cve/cve-2018-12126
** https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5753
+
** https://access.redhat.com/security/cve/cve-2018-12127
** https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5754
+
** https://access.redhat.com/security/cve/cve-2018-12130
** https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3639
+
** https://access.redhat.com/security/cve/cve-2019-11091
** https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3640
+
** https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3665
+
** https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3615
+
** https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3620
+
** https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-3646
+
  
 
====Archlinux====
 
====Archlinux====
 
* Security Advisory
 
* Security Advisory
** https://security.archlinux.org/CVE-2017-5715
+
** https://security.archlinux.org/CVE-2018-12126
** https://security.archlinux.org/CVE-2017-5753
+
** https://security.archlinux.org/CVE-2018-12127
** https://security.archlinux.org/CVE-2017-5754
+
** https://security.archlinux.org/CVE-2018-12130
** https://security.archlinux.org/CVE-2018-3639
+
** https://security.archlinux.org/CVE-2019-11091
** https://security.archlinux.org/CVE-2018-3640
+
** https://security.archlinux.org/CVE-2018-3665
+
** https://security.archlinux.org/CVE-2018-3615
+
** https://security.archlinux.org/CVE-2018-3620
+
** https://security.archlinux.org/CVE-2018-3646
+
  
 
* Microcode Update Packages
 
* Microcode Update Packages
Zeile 238: Zeile 252:
  
 
====Microsoft Windows====
 
====Microsoft Windows====
'''Announcement''': https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s
+
'''Announcement''': https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013
 
+
*  https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
+
  
 
* Security Advisory
 
* Security Advisory
** https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180002
+
** https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013
 +
** https://support.microsoft.com/en-us/help/4073757/protect-windows-devices-from-speculative-execution-side-channel-attack
  
 
===other Operating Systems===
 
===other Operating Systems===
Zeile 249: Zeile 262:
  
 
====OpenSUSE====
 
====OpenSUSE====
'''Announcement''': https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html
+
'''Announcement''': ...
 
* Security Advisory
 
* Security Advisory
** https://www.suse.com/security/cve/CVE-2017-5715/
+
** https://www.suse.com/security/cve/CVE-2018-12126/
** https://www.suse.com/security/cve/CVE-2017-5753/
+
** https://www.suse.com/security/cve/CVE-2018-12127
** https://www.suse.com/security/cve/CVE-2017-5754/
+
** https://www.suse.com/security/cve/CVE-2018-12130
** https://www.suse.com/security/cve/CVE-2018-3639/
+
** https://www.suse.com/security/cve/CVE-2019-11091
** https://www.suse.com/security/cve/CVE-2018-3640/
+
 
** https://www.suse.com/security/cve/CVE-2018-3665/
+
** https://www.suse.com/security/cve/CVE-2018-3615/
+
** https://www.suse.com/security/cve/CVE-2018-3620/
+
** https://www.suse.com/security/cve/CVE-2018-3646/
+
  
 
* Microcode Update Packages
 
* Microcode Update Packages
Zeile 266: Zeile 275:
  
 
====VMware====
 
====VMware====
'''Announcement''': https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html
+
'''Announcement''': ...
  
 
* Security Advisory
 
* Security Advisory
** https://lists.vmware.com/pipermail/security-announce/2018/000397.html
+
** https://www.vmware.com/security/advisories/VMSA-2019-0008.html
** https://www.vmware.com/security/advisories/VMSA-2018-0020.html
+
  
 
===Webhosting/Managed Servers===
 
===Webhosting/Managed Servers===
Zeile 276: Zeile 284:
  
 
Since we manage your servers for you, you do not need to take any precautions for now.
 
Since we manage your servers for you, you do not need to take any precautions for now.
 
Update 2018-01-09: The Update for Meltdown has been applied
 
 
===Virtual Servers (VQ/VX)===
 
The host systems will be updated to fix the vulnerabilities as soon as possible. The necessary reboots will be announced on [https://www.hetzner-status.de/en.html Hetzner Status]. You may subscribe to be notified.
 
 
Since the installed operating system may still be vulnerable, you need to install the updates, which provide the fixes, as soon as possible yourself. For more information on when the OS updates will be available, please check the links above.
 
  
 
===Cloud / Virtual Servers (CX)===
 
===Cloud / Virtual Servers (CX)===

Version vom 16. Mai 2019, 09:41 Uhr

Inhaltsverzeichnis

Information about the vulnerabilities

On January 3rd, 2018, several security vulnerabilities within the microarchitecture of most modern processors were published, which could have the following results:

Those vulnerabilities are now known as:

For further information on this topic, please check the following resources:

Spectre-NG

On May 21st, 2018, two more security vulnerabilities were published:

For further information on this topic, please check the following resources:

Foreshadow

On August 14th, 2018, additional vulnerabilities were published:

For further information on this topic, please check the following resources:

Microarchitectural Data Sampling (MDS) / ZombieLoad

On May 14th, 2019, additional vulnerabilities were published, which are using speculative execution side-channel attacks to maliciously access data stored in buffers on a vulnerable system.

  • Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126)
  • Microarchitectural Load Port Data Samping (MLPDS) (CVE-2018-12127)
  • Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130)
  • Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (CVE-2019-11091)

Those vulnerabilities are now known as:

For further information on this topic, please check the following resources:

Additionally to installing the latest Linux kernel and Microcode updates it is necessary to disable Intel® Hyper-Threading Technology to fully mitigate these vulnerabilities, as the post in the Ubuntu Blog points out:

Updated versions of the intel-microcode, qemu and linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users. As these vulnerabilities affect such a large range of Intel processors (across laptop, desktop and server machines), a large percentage of Ubuntu users are expected to be impacted – users are encouraged to install these updated packages as soon as they become available.

The use of Symmetric Multi-Threading (SMT) – also known as Hyper-Threading – further complicates these issues since these buffers are shared between sibling Hyper-Threads. Therefore, the above changes are not sufficient to mitigate these vulnerabilities when SMT is enabled. As such, the use of SMT is not recommended when untrusted code or applications are being executed.

Affected Products

Current Generation

AX-Line

  • only affected by Variant 1, 2 & 4:
    • AX60-SSD
    • AX100
    • AX160-NVMe
    • AX160-SSD

EX-Line

  • EX42
  • EX42-NVMe
  • EX51-SSD-GPU
  • EX52
  • EX52-NVMe
  • EX62
  • EX62-NVMe

PX-Line

  • PX61
  • PX61-SSD
  • PX61-NVMe
  • PX62
  • PX62-NVMe
  • PX92

DX-Line

Announcement: http://www.dell.com/support/contents/us/en/04/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre?lang=de

  • DX152 (R640)
  • DX180 (R6415) - only affected by Variant 1, 2 & 4
  • DX292 (R640)

SX-Line

  • SX62
  • SX132
  • SX292

Managed Servers

  • MX92
  • MX92-SSD
  • MX122-SSD
  • MX152-SSD

Previous Generations

  • AX10 (Cortex A15 + A7)
  • AX20 (Cortex A15 + A7)
  • AX30 (Cortex A15 + A7)
  • AX50-SSD - only affected by Variant 1, 2 & 4
  • DX141 (Dell R530)
  • DX150 (Dell R720)
  • DX151 (Dell R730)
  • DX290 (Dell R720)
  • DX291 (Dell R730)
  • EQ4
  • EQ6
  • EQ8
  • EQ9
  • EQ10
  • EX4
  • EX4S
  • EX5
  • EX6
  • EX6S
  • EX8
  • EX8S
  • EX10
  • EX40
  • EX40-SSD
  • EX40-Hybrid
  • EX41
  • EX41-SSD
  • EX41S
  • EX41S-SSD
  • EX51
  • EX51-SSD
  • EX60
  • EX61
  • EX61-NVMe
  • MQ7
  • MQ9
  • MQ10
  • MX90
  • MX90-SSD
  • MX120
  • MX120-SSD
  • MX121
  • MX150-SSD
  • MX151
  • MX151-SSD
  • PX60
  • PX60-SSD
  • PX70
  • PX70-SSD
  • PX80
  • PX90
  • PX90-SSD
  • PX91
  • PX91-SSD
  • PX120
  • PX120-SSD
  • PX121
  • PX121-SSD
  • SX60
  • SX61
  • SX130
  • SX131
  • SX290
  • SX291
  • XS13
  • XS29

Update / Upgrade Path

Hardware / BIOS / Firmware

We are working with the respective manufacturers regarding firmware updates and will provide them as soon as possible.

We will keep a list of all updates which are available here:

Firmware Updates

The Microcode updates should also be available soon via the operating system updates.

Software / Operating System

Information about upcoming patches for all of our supported operating systems can be found in their specific bug tracker:

Debian

Announcement:

Ubuntu

Announcement:

RedHat / CentOS

Announcement: https://access.redhat.com/security/vulnerabilities/mds

Archlinux

Microsoft Windows

Announcement: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013

other Operating Systems

Information about upcoming patches for not officially supported operating systems:

OpenSUSE

Announcement: ...


VMware

Announcement: ...

Webhosting/Managed Servers

The host systems will be updated to fix the vulnerabilities as soon as possible. The necessary reboots will be announced on Hetzner Status.

Since we manage your servers for you, you do not need to take any precautions for now.

Cloud / Virtual Servers (CX)

The host systems will be updated to fix the vulnerabilities as soon as possible. For instances with ceph-backed storage, the updates are expected to be done without any customer downtimes.

Should reboots be necessary, they will be announced on Hetzner Status. You may subscribe to be notified.

Since the installed operating system may still be vulnerable, you need to install the updates, which provide the fixes, as soon as possible yourself. For more information on when the OS updates will be available, please check the links above.

The CX servers have already been updated to include the new CPU flags (spec_ctrl, ibrs) the provide the mitigation inside the virtual machines. To activate these changes, your virtual servers have to be shutdown and started again.



© 2020. Hetzner Online GmbH. Alle Rechte vorbehalten.