Hetzner - DokuWiki
CPU vulnerabilities based on Spectre and Meltdown/en
TommyG (Diskussion | Beiträge) (→DX-Line) |
(→Cloud / Virtual Servers (CX)) |
||
Zeile 286: | Zeile 286: | ||
===Cloud / Virtual Servers (CX)=== | ===Cloud / Virtual Servers (CX)=== | ||
− | The host systems | + | The host systems are being updated to address the vulnerabilities as soon as updates are available. These updates are expected to be rolled out without any customer downtimes. |
− | + | ||
Should reboots be necessary, they will be announced on [https://www.hetzner-status.de/en.html Hetzner Status]. You may subscribe to be notified. | Should reboots be necessary, they will be announced on [https://www.hetzner-status.de/en.html Hetzner Status]. You may subscribe to be notified. | ||
− | Since the installed operating system may still be vulnerable, | + | Since the installed operating system may still be vulnerable, we recommend to install any updates, which provide the mitigations, as soon as possible yourself. For more information on when the OS updates will be available, please check the links above. |
− | + | Updated CPU flags (spec_ctrl, ibrs, ssbd, md-clear) will be made available at a later point in time. To activate these, the virtual server needs to be shutdown and started again. |
Version vom 16. Mai 2019, 12:09 Uhr
![]() |
Languages: |
Deutsch |
Inhaltsverzeichnis |
Information about the vulnerabilities
On January 3rd, 2018, several security vulnerabilities within the microarchitecture of most modern processors were published, which could have the following results:
- Variant 1: bounds check bypass (CVE-2017-5753)
- Variant 2: branch target injection (CVE-2017-5715)
- Variant 3: rogue data cache load (CVE-2017-5754)
Those vulnerabilities are now known as:
For further information on this topic, please check the following resources:
Spectre-NG
On May 21st, 2018, two more security vulnerabilities were published:
- Variante 3a: rogue system register read (CVE-2018-3640)
- Variante 4: speculative store bypass (CVE-2018-3639)
For further information on this topic, please check the following resources:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
- https://www.amd.com/en/corporate/security-updates
- https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
- https://www.phoronix.com/scan.php?page=news_item&px=Spectre-V3-V4-Vulnerabilities
Foreshadow
On August 14th, 2018, additional vulnerabilities were published:
- Lazy FP State Restore (CVE-2018-3665)
- L1 Terminal Fault - SGX (CVE-2018-3615)
- L1 Terminal Fault - OS Kernel, SMM (CVE-2018-3620)
- L1 Terminal Fault - Virtual Machines (CVE-2018-3646)
For further information on this topic, please check the following resources:
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
- https://www.amd.com/en/corporate/security-updates
Microarchitectural Data Sampling (MDS) / ZombieLoad
On May 14th, 2019, additional vulnerabilities were published, which are using speculative execution side-channel attacks to maliciously access data stored in buffers on a vulnerable system.
- Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126)
- Microarchitectural Load Port Data Samping (MLPDS) (CVE-2018-12127)
- Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130)
- Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (CVE-2019-11091)
Those vulnerabilities are now known as:
For further information on this topic, please check the following resources:
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
- https://www.amd.com/en/corporate/product-security
Additionally to installing the latest Linux kernel and Microcode updates it is necessary to disable Intel® Hyper-Threading Technology to fully mitigate these vulnerabilities, as the post in the Ubuntu Blog points out:
Updated versions of the intel-microcode, qemu and linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users. As these vulnerabilities affect such a large range of Intel processors (across laptop, desktop and server machines), a large percentage of Ubuntu users are expected to be impacted – users are encouraged to install these updated packages as soon as they become available.
The use of Symmetric Multi-Threading (SMT) – also known as Hyper-Threading – further complicates these issues since these buffers are shared between sibling Hyper-Threads. Therefore, the above changes are not sufficient to mitigate these vulnerabilities when SMT is enabled. As such, the use of SMT is not recommended when untrusted code or applications are being executed.
Affected Products
Current Generation
AX-Line
- only affected by Variant 1, 2 & 4:
- AX60-SSD
- AX100
- AX160-NVMe
- AX160-SSD
EX-Line
- EX42
- EX42-NVMe
- EX51-SSD-GPU
- EX52
- EX52-NVMe
- EX62
- EX62-NVMe
PX-Line
- PX61
- PX61-SSD
- PX61-NVMe
- PX62
- PX62-NVMe
- PX92
DX-Line
Announcement: ...
- DX152 (R640)
- DX180 (R6415) - only affected by Variant 1, 2 & 4
- DX292 (R640)
SX-Line
- SX62
- SX132
- SX292
Managed Servers
- MX92
- MX92-SSD
- MX122-SSD
- MX152-SSD
Previous Generations
- AX10 (Cortex A15 + A7)
- AX20 (Cortex A15 + A7)
- AX30 (Cortex A15 + A7)
- AX50-SSD - only affected by Variant 1, 2 & 4
- DX141 (Dell R530)
- DX150 (Dell R720)
- DX151 (Dell R730)
- DX290 (Dell R720)
- DX291 (Dell R730)
- EQ4
- EQ6
- EQ8
- EQ9
- EQ10
- EX4
- EX4S
- EX5
- EX6
- EX6S
- EX8
- EX8S
- EX10
- EX40
- EX40-SSD
- EX40-Hybrid
- EX41
- EX41-SSD
- EX41S
- EX41S-SSD
- EX51
- EX51-SSD
- EX60
- EX61
- EX61-NVMe
- MQ7
- MQ9
- MQ10
- MX90
- MX90-SSD
- MX120
- MX120-SSD
- MX121
- MX150-SSD
- MX151
- MX151-SSD
- PX60
- PX60-SSD
- PX70
- PX70-SSD
- PX80
- PX90
- PX90-SSD
- PX91
- PX91-SSD
- PX120
- PX120-SSD
- PX121
- PX121-SSD
- SX60
- SX61
- SX130
- SX131
- SX290
- SX291
- XS13
- XS29
Update / Upgrade Path
Hardware / BIOS / Firmware
We are working with the respective manufacturers regarding firmware updates and will provide them as soon as possible.
We will keep a list of all updates which are available here:
The Microcode updates should also be available soon via the operating system updates.
Software / Operating System
Information about upcoming patches for all of our supported operating systems can be found in their specific bug tracker:
Debian
Announcement:
- Security Advisory
Ubuntu
Announcement:
- https://blog.ubuntu.com/2019/05/14/ubuntu-updates-to-mitigate-new-microarchitectural-data-sampling-mds-vulnerabilities
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
- Security Advisory
RedHat / CentOS
Announcement: https://access.redhat.com/security/vulnerabilities/mds
- Security Advisory
Archlinux
- Security Advisory
- Microcode Update Packages
Microsoft Windows
Announcement: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013
- Security Advisory
other Operating Systems
Information about upcoming patches for not officially supported operating systems:
OpenSUSE
Announcement: ...
- Security Advisory
- Microcode Update Packages
VMware
Announcement: ...
- Security Advisory
Webhosting/Managed Servers
The host systems will be updated to fix the vulnerabilities as soon as possible. The necessary reboots will be announced on Hetzner Status.
Since we manage your servers for you, you do not need to take any precautions for now.
Cloud / Virtual Servers (CX)
The host systems are being updated to address the vulnerabilities as soon as updates are available. These updates are expected to be rolled out without any customer downtimes.
Should reboots be necessary, they will be announced on Hetzner Status. You may subscribe to be notified.
Since the installed operating system may still be vulnerable, we recommend to install any updates, which provide the mitigations, as soon as possible yourself. For more information on when the OS updates will be available, please check the links above.
Updated CPU flags (spec_ctrl, ibrs, ssbd, md-clear) will be made available at a later point in time. To activate these, the virtual server needs to be shutdown and started again.