rssLink RSS for all categories
 
icon_red
icon_green
icon_orange
icon_orange
icon_red
icon_green
icon_green
icon_orange
icon_green
icon_orange
icon_green
icon_green
icon_green
icon_blue
icon_orange
icon_red
icon_green
icon_red
icon_orange
icon_red
icon_green
icon_green
icon_red
icon_orange
icon_orange
icon_green
icon_green
icon_green
icon_green
icon_green
icon_red
 

FS#29251 — Meltdown / Spectre

Attached to Project— Virtual Desktop
Maintenance
Backend / Core
CLOSED
100%
You probably have heard about security breach on Intel x86 and x64 CPUs, named « Meltdown » and « Spectre ». The details of those vulnerabilities are available on the following blogpost : https://www.ovh.com/fr/blog/vulnerabilites-meltdown-spectre-cpu-x86-64-ovh-pleinement-mobilise/

Our virtual desktop products, Cloud Desktop & Cloud Desktop Infrastructure, are directly impacted by those breaches.

Following the different CVE publicized :

- CVE-2017-5715 (branch target injection – Spectre)
- CVE-2017-5753 (bounds check bypass – Spectre)
- CVE-2017-5754 (rogue data cache load – Meltdown)

Variant 1: bounds check bypass (CVE-2017-5753) - spectre
Vulnerable : YES
Fixed by patch : YES

Variant 2: branch target injection (CVE-2017-5715) - spectre
Vulnerable : YES
Fixed by patch : YES

Variant 3: rogue data cache load (CVE-2017-5754) - meltdown
Vulnerable : NO
Note: Meltdown (CVE-2017-5754) does not affect ESXi because ESXi does not run untrusted user mode code.

We will have to apply updates on different machines

All of this will be done in 2 phases :
- Phase 1 : Security updates in the customer side
- Phase 2 : Security updates in the OVH side

------

Phase 1 will update all machine linked to customer infrastructures :

We need to upgrade all the ESXI. Proceeding this action will require a shutdown of all our desktops.
After this upgrade, we will reboot the desktops and force a Windows update on it.

Worst case scenario, the desk will be unreachable for about 2 hours. Please find below an estimation of the date / time of the upgrades per pool.

Update of the Esxi :

8/01/2017 , 6 AM - 8 AM
winadv-48
wingpu-37
wingpu-39
wingpu-36
winadv-43
winadv-47
winadv-46
wingpu-17
winadv-42
wingpu-38



10/01/2017 , 6 AM - 8 AM
winbase-1
winbase-13
winadv-41
winbase-11
winadv-15
winadv-10
winstd-45
winadv-16
winbase-8
winadv-20
winstd-21
winstd-44
winstd-9
winstd-18

11/01/2017 , 6 AM - 8 AM
winstd-31
winstd-34
winstd-35
winbase-4
winbase-29
winstd-33
winstd-19
winbase-27
winbase-6
winbase-5
winstd-7
winstd-30
winstd-40
winbase-3
winbase-25

12/01/2017 , 6 AM - 8 AM
winbase-28
winbase-24
winbase-12
winbase-26
winbase-14
winbase-23
winbase-22
winbase-2

The update of the ESXI are DONE


The 19 th of January ( 2018) we are going to upgrade the VCSA at 7.AM . A brief reboot is necessary..



------

Phase 2 will update all machines linked to management infrastructure in the OVH side.
During this time, the management interface of your infrastructure won't be available.

We need to update all the administration servers, which will lead to a temporary impossibility to log into the infrastructure’s Desktops.
The exact schedule of this operation hasn’t yet been decided. We’ll keep you in touch as soon as possible.

Please be ensured that OVH teams are fully mobilized to mitigate the impacts of this emergency intervention.
Date:  Wednesday, 28 February 2018, 16:25PM
Reason for closing:  Done
Comment by OVH - Tuesday, 09 January 2018, 07:13AM

winadv-48
winadv-43
winadv-47
winadv-46
winadv-42

Done


Comment by OVH - Tuesday, 09 January 2018, 08:06AM

wingpu-36
wingpu-17
wingpu-38
wingpu-39
wingpu-37 done



Comment by OVH - Wednesday, 10 January 2018, 08:17AM

winbase-1
winbase-13
winadv-41
winbase-11
winadv-15
winadv-10
winstd-45
winadv-16
winbase-8
winadv-20
winstd-21
winstd-44
winstd-9
winstd-18


DONE


Comment by OVH - Thursday, 11 January 2018, 09:19AM

winstd-31
winstd-34
winstd-35
winbase-4
winbase-29
winstd-33
winstd-19
winbase-27
winbase-6
winbase-5
winstd-7
winstd-30
winstd-40
winbase-3
winbase-25



DONE


Comment by OVH - Friday, 12 January 2018, 07:56AM

winbase-28
winbase-24
winbase-12
winbase-26
winbase-14
winbase-23
winbase-22
winbase-2


DONE


Comment by OVH - Wednesday, 17 January 2018, 14:30PM

We are going to upgrade the VCSA this friday (19/01/2018) at 7. AM A reboot will be necessary.


Comment by OVH - Friday, 19 January 2018, 09:15AM

Phase 1 is done.

Still working on phase 2 !

PLease, feel free to ask if you have some questions (cdi@ml.ovh.net)


Comment by OVH - Tuesday, 20 February 2018, 16:01PM

Phase 2 is almost done.

For the CDI owner in EU :

The next update will be on the 26 February 2018 at 8 PM and on the 1st March 2018 at 5 AM. You'll receive an email to notify you of the scheduling.

The Cloud Desktop management infrastructure will be updated on the 1st March 2018 at 5 AM.

The Cloud Desktop Team.


Comment by OVH - Wednesday, 28 February 2018, 16:24PM

Phase 2 is done, all CA and EU infrastructure are up to date.

The cloud Desktop team