Intel's MDS (ZombieLoad) CPU Vulnerabilities & Linode
This week Intel publicly disclosed a group of processor vulnerabilities known as Microarchitectural Data Sampling (MDS), also referred to as “ZombieLoad”. MDS affects systems that host virtual machines from varying security domains and/or that the system owner does not fully trust, which includes Linode's infrastructure and Linodes themselves. This guide has additional detailed information on these vulnerabilities as well as their mitigation.
We've started mitigation efforts and anticipate full mitigation of our fleet in the coming weeks. These mitigation efforts may require interruption to your running systems, but we will clearly communicate any scheduled maintenance or coordination required by our customers via Support ticket.
To address these vulnerabilities on your end, we've released a new kernel (5.1.2) with mitigations in place, so make sure you select this kernel in your Linode's configuration profile, then reboot. If you are using a distribution-supplied kernel, you will need to upgrade your kernel accordingly. As always, you should also ensure your Linode is up to date and secured.
As we move forward with our mitigation efforts in the coming weeks, we will continue providing more information here, as well as on our blog. Stay tuned!
When I log into my account, the 'latest 64bit' kernel is listed as 4.18.16x86_64-linode118. Why isn't 5.1.2 listed as the most up-to-date 64bit kernel?
Thanks for getting back to me so quickly. I'm updating a few Linodes to 5.1.2 now - should not do so because of the the 'kernel issue'? Or is it just a issue that affects reporting rather than functionality?
Also, and please correct me if I'm wrong, in the past didn't choosing the 'latest' kernel mean that it would auto-update to a newer 'latest' kernel when rebooting? I seem to remember that instructions for applying the new kernel for the heartbeat vulnerability was to just reboot the Linode and the newest 'latest' kernel would be used automatically (if you were already using the current 'latest' kernel, of course).
If that was the case, do I (when the 'kernel issue' is fixed) need to find and select the kernel listed as the 'latest' in order to go back to updating to the newest 'latest' kernel when rebooting the server?
Or does that not actually happen when selecting the 'latest' kernel and my memory really is as bad as I think it is?
@DBR updating to 5.1.2 is safe, just be aware of the
uptime issue. You're correct about 'latest' kernel behavior — we've only delayed updating the kernel designated as the 'latest' in order to avoid inadvertent customer problems involving the
Accordingly, yes you'd have to switch back to 'latest' once we have the issue resolved if you now pin to the 5.1.2 kernel or any other that isn't the 'latest'.
I hope this explains everything — feel free to follow up if you still have any questions.
Thanks for clarifying that, @bbigger.
uptime issue is just about reporting stats, I'm not bothered.
Bit of an sod to have to go back and select a new 'latest' kernel and reboot multiple servers across different accounts though….oh well, can't be helped, I guess.
I wanted to make you aware that we've promoted 5.1.2 to latest. Thanks for taking the time to investigate this in the related post.
Has anyone already gone through the downtime that linode is doing to correct this? I was wondering how long servers are actually going down. Trying to decide if I want to take a short outage or take other measures on my own to avoid interruption.