Intel's MDS (ZombieLoad) CPU Vulnerabilities & Linode
Linode
Linode Staff
This week Intel publicly disclosed a group of processor vulnerabilities known as Microarchitectural Data Sampling (MDS), also referred to as “ZombieLoad”. MDS affects systems that host virtual machines from varying security domains and/or that the system owner does not fully trust, which includes Linode's infrastructure and Linodes themselves. This guide has additional detailed information on these vulnerabilities as well as their mitigation.
We've started mitigation efforts and anticipate full mitigation of our fleet in the coming weeks. These mitigation efforts may require interruption to your running systems, but we will clearly communicate any scheduled maintenance or coordination required by our customers via Support ticket.
To address these vulnerabilities on your end, we've released a new kernel (5.1.2) with mitigations in place, so make sure you select this kernel in your Linode's configuration profile, then reboot. If you are using a distribution-supplied kernel, you will need to upgrade your kernel accordingly. As always, you should also ensure your Linode is up to date and secured.
As we move forward with our mitigation efforts in the coming weeks, we will continue providing more information here, as well as on our blog. Stay tuned!
9 Replies
When I log into my account, the 'latest 64bit' kernel is listed as 4.18.16x86_64-linode118. Why isn't 5.1.2 listed as the most up-to-date 64bit kernel?
Thanks.
bbigger
Linode Staff
Hey @DBR, we're holding off on updating the most recent kernel as "latest" until we resolve a kernel issue which is causing inaccurate uptime outputs.
Thanks for getting back to me so quickly. I'm updating a few Linodes to 5.1.2 now - should not do so because of the the 'kernel issue'? Or is it just a issue that affects reporting rather than functionality?
Also, and please correct me if I'm wrong, in the past didn't choosing the 'latest' kernel mean that it would auto-update to a newer 'latest' kernel when rebooting? I seem to remember that instructions for applying the new kernel for the heartbeat vulnerability was to just reboot the Linode and the newest 'latest' kernel would be used automatically (if you were already using the current 'latest' kernel, of course).
If that was the case, do I (when the 'kernel issue' is fixed) need to find and select the kernel listed as the 'latest' in order to go back to updating to the newest 'latest' kernel when rebooting the server?
Or does that not actually happen when selecting the 'latest' kernel and my memory really is as bad as I think it is?
Cheers
bbigger
Linode Staff
@DBR updating to 5.1.2 is safe, just be aware of the uptime issue. You're correct about 'latest' kernel behavior — we've only delayed updating the kernel designated as the 'latest' in order to avoid inadvertent customer problems involving the uptime issue.
Accordingly, yes you'd have to switch back to 'latest' once we have the issue resolved if you now pin to the 5.1.2 kernel or any other that isn't the 'latest'.
I hope this explains everything — feel free to follow up if you still have any questions.
Thanks for clarifying that, @bbigger.
If the uptime issue is just about reporting stats, I'm not bothered.
Bit of an sod to have to go back and select a new 'latest' kernel and reboot multiple servers across different accounts though….oh well, can't be helped, I guess.
Thanks again
dsmith
Linode Staff
I wanted to make you aware that we've promoted 5.1.2 to latest. Thanks for taking the time to investigate this in the related post.
Has anyone already gone through the downtime that linode is doing to correct this? I was wondering how long servers are actually going down. Trying to decide if I want to take a short outage or take other measures on my own to avoid interruption.