Hetzner - DokuWiki

CPU vulnerabilities based on Spectre and Meltdown/en
(DX-Line)
(Cloud / Virtual Servers (CX))
Zeile 286: Zeile 286:
  
 
===Cloud / Virtual Servers (CX)===
 
===Cloud / Virtual Servers (CX)===
The host systems will be updated to fix the vulnerabilities as soon as possible.
+
The host systems are being updated to address the vulnerabilities as soon as updates are available. These updates are expected to be rolled out without any customer downtimes.
For instances with ceph-backed storage, the updates are expected to be done without any customer downtimes.
+
  
 
Should reboots be necessary, they will be announced on [https://www.hetzner-status.de/en.html Hetzner Status]. You may subscribe to be notified.
 
Should reboots be necessary, they will be announced on [https://www.hetzner-status.de/en.html Hetzner Status]. You may subscribe to be notified.
  
Since the installed operating system may still be vulnerable, you need to install the updates, which provide the fixes, as soon as possible yourself. For more information on when the OS updates will be available, please check the links above.
+
Since the installed operating system may still be vulnerable, we recommend to install any updates, which provide the mitigations, as soon as possible yourself. For more information on when the OS updates will be available, please check the links above.
  
The CX servers have already been updated to include the new CPU flags (spec_ctrl, ibrs) the provide the mitigation inside the virtual machines. To activate these changes, your virtual servers have to be shutdown and started again.
+
Updated CPU flags (spec_ctrl, ibrs, ssbd, md-clear) will be made available at a later point in time. To activate these, the virtual server needs to be shutdown and started again.

Version vom 16. Mai 2019, 12:09 Uhr

Geographylogo.png Languages: 

Deutsch Deutsch.png  • English   

Inhaltsverzeichnis

Information about the vulnerabilities

On January 3rd, 2018, several security vulnerabilities within the microarchitecture of most modern processors were published, which could have the following results:

Those vulnerabilities are now known as:

For further information on this topic, please check the following resources:

Spectre-NG

On May 21st, 2018, two more security vulnerabilities were published:

For further information on this topic, please check the following resources:

Foreshadow

On August 14th, 2018, additional vulnerabilities were published:

For further information on this topic, please check the following resources:

Microarchitectural Data Sampling (MDS) / ZombieLoad

On May 14th, 2019, additional vulnerabilities were published, which are using speculative execution side-channel attacks to maliciously access data stored in buffers on a vulnerable system.

  • Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126)
  • Microarchitectural Load Port Data Samping (MLPDS) (CVE-2018-12127)
  • Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130)
  • Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (CVE-2019-11091)

Those vulnerabilities are now known as:

For further information on this topic, please check the following resources:

Additionally to installing the latest Linux kernel and Microcode updates it is necessary to disable Intel® Hyper-Threading Technology to fully mitigate these vulnerabilities, as the post in the Ubuntu Blog points out:

Updated versions of the intel-microcode, qemu and linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users. As these vulnerabilities affect such a large range of Intel processors (across laptop, desktop and server machines), a large percentage of Ubuntu users are expected to be impacted – users are encouraged to install these updated packages as soon as they become available.

The use of Symmetric Multi-Threading (SMT) – also known as Hyper-Threading – further complicates these issues since these buffers are shared between sibling Hyper-Threads. Therefore, the above changes are not sufficient to mitigate these vulnerabilities when SMT is enabled. As such, the use of SMT is not recommended when untrusted code or applications are being executed.

Affected Products

Current Generation

AX-Line

  • only affected by Variant 1, 2 & 4:
    • AX60-SSD
    • AX100
    • AX160-NVMe
    • AX160-SSD

EX-Line

  • EX42
  • EX42-NVMe
  • EX51-SSD-GPU
  • EX52
  • EX52-NVMe
  • EX62
  • EX62-NVMe

PX-Line

  • PX61
  • PX61-SSD
  • PX61-NVMe
  • PX62
  • PX62-NVMe
  • PX92

DX-Line

Announcement: ...

  • DX152 (R640)
  • DX180 (R6415) - only affected by Variant 1, 2 & 4
  • DX292 (R640)

SX-Line

  • SX62
  • SX132
  • SX292

Managed Servers

  • MX92
  • MX92-SSD
  • MX122-SSD
  • MX152-SSD

Previous Generations

  • AX10 (Cortex A15 + A7)
  • AX20 (Cortex A15 + A7)
  • AX30 (Cortex A15 + A7)
  • AX50-SSD - only affected by Variant 1, 2 & 4
  • DX141 (Dell R530)
  • DX150 (Dell R720)
  • DX151 (Dell R730)
  • DX290 (Dell R720)
  • DX291 (Dell R730)
  • EQ4
  • EQ6
  • EQ8
  • EQ9
  • EQ10
  • EX4
  • EX4S
  • EX5
  • EX6
  • EX6S
  • EX8
  • EX8S
  • EX10
  • EX40
  • EX40-SSD
  • EX40-Hybrid
  • EX41
  • EX41-SSD
  • EX41S
  • EX41S-SSD
  • EX51
  • EX51-SSD
  • EX60
  • EX61
  • EX61-NVMe
  • MQ7
  • MQ9
  • MQ10
  • MX90
  • MX90-SSD
  • MX120
  • MX120-SSD
  • MX121
  • MX150-SSD
  • MX151
  • MX151-SSD
  • PX60
  • PX60-SSD
  • PX70
  • PX70-SSD
  • PX80
  • PX90
  • PX90-SSD
  • PX91
  • PX91-SSD
  • PX120
  • PX120-SSD
  • PX121
  • PX121-SSD
  • SX60
  • SX61
  • SX130
  • SX131
  • SX290
  • SX291
  • XS13
  • XS29

Update / Upgrade Path

Hardware / BIOS / Firmware

We are working with the respective manufacturers regarding firmware updates and will provide them as soon as possible.

We will keep a list of all updates which are available here:

Firmware Updates

The Microcode updates should also be available soon via the operating system updates.

Software / Operating System

Information about upcoming patches for all of our supported operating systems can be found in their specific bug tracker:

Debian

Announcement:

Ubuntu

Announcement:

RedHat / CentOS

Announcement: https://access.redhat.com/security/vulnerabilities/mds

Archlinux

Microsoft Windows

Announcement: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013

other Operating Systems

Information about upcoming patches for not officially supported operating systems:

OpenSUSE

Announcement: ...


VMware

Announcement: ...

Webhosting/Managed Servers

The host systems will be updated to fix the vulnerabilities as soon as possible. The necessary reboots will be announced on Hetzner Status.

Since we manage your servers for you, you do not need to take any precautions for now.

Cloud / Virtual Servers (CX)

The host systems are being updated to address the vulnerabilities as soon as updates are available. These updates are expected to be rolled out without any customer downtimes.

Should reboots be necessary, they will be announced on Hetzner Status. You may subscribe to be notified.

Since the installed operating system may still be vulnerable, we recommend to install any updates, which provide the mitigations, as soon as possible yourself. For more information on when the OS updates will be available, please check the links above.

Updated CPU flags (spec_ctrl, ibrs, ssbd, md-clear) will be made available at a later point in time. To activate these, the virtual server needs to be shutdown and started again.

Von „https://wiki.hetzner.de/index.php/CPU_vulnerabilities_based_on_Spectre_and_Meltdown/en


© 2019. Hetzner Online GmbH. Alle Rechte vorbehalten.