rssLink RSS for all categories
 
icon_red
icon_green
icon_blue
icon_orange
icon_red
icon_green
icon_green
icon_orange
icon_green
icon_orange
icon_green
icon_green
icon_green
icon_blue
icon_orange
icon_red
icon_green
icon_red
icon_orange
icon_red
icon_green
icon_green
icon_red
icon_orange
icon_orange
icon_green
icon_green
icon_green
icon_green
icon_green
icon_red
 

FS#29258 — Meltdown / Spectre

Attached to Project— Serveurs dédiés
Maintenance
ALL
In progress
0%
Regarding the different CVE publicized
- CVE-2017-5715 (branch target injection – Spectre)
- CVE-2017-5753 (bounds check bypass – Spectre)
- CVE-2017-5754 (rogue data cache load – Meltdown)

On Dedicated Servers, customer operations ARE REQUIRED in order to mitigate the Meltdown flaw.
Your system need to be updated: http://travaux.ovh.net/?do=details&id=29257.
If you are running an OVH Kernel, you can simply enable the 'Netboot' feature and reboot your system (https://docs.ovh.com/gb/en/dedicated/kernel-netboot/#boot-from-network-mode)

Spectre flaws mitigation is not available for the moment.
Our teams are working on the deployment of an Intel microcode (during the system boot and/or EFI). This microcode would require kernel counter-measures (understand patch/update) to fully mitigate against Variant 2 / CVE-2017-5715 (https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr).
Comment by OVH - Tuesday, 23 January 2018, 14:29PM

Regarding OVH kernels, there are two updated versions available, which both mitigate the "Meltdown" as well as the "Spectre Variant 2" vulnerabilities.

Currently available are the versions 4.9.77 (stable/production) and 4.14.14 (testing). The 4.9 version is used for standard netboot and reinstallations if no other kernel is chosen.
Those kernels have been compiled with a retpoline-enabled GCC version 7.2, and are bundled with the latest (reference version v224) CPU microcodes obtained from Intel.
Those bzImages are updated regularly to reflect the latest findings and published best-practices. Microcodes for CPUs from AMD will be added when available.

If you want to update an existing installation using those kernels, you can either:
- boot the kernel directly from network as described in https://docs.ovh.com/gb/en/dedicated/kernel-netboot/, or
- install the OVH kernel on your disk in the /boot directory and adapting your bootloader's config ("update-grub" on Debian/Ubuntu or "grub2-mkconfig" on RHEL/CentOS/Fedora/SuSE and others) after downloading the corresponding files from ftp://ftp.ovh.net/made-in-ovh/bzImage/latest-production/ or ftp://ftp.ovh.net/made-in-ovh/bzImage/latest-test/ respectively.


Comment by OVH - Wednesday, 24 January 2018, 17:19PM

The OVH bzImage versions have been adapted to 4.9.78 and 4.14.15, respectively.