How can I tell if my server was affected by Zenbleed?
We recently announced the disclosure and successful mitigation of the AMD CPU Zenbleed security vulnerability. While Akamai Cloud computing systems are no longer vulnerable to Zenbleed, you may wish to take additional steps depending on the nature of the services on your server.
This post details how you can use the Linux command line to determine if your server is running on a Zen 2 CPU that was affected by Zenbleed. There are two options: check /proc/cpuinfo or install and run cpuid.
Option 1: check /proc/cpuinfo
The /proc/cpuinfo file will tell you which CPU your server last booted on. Simply run
cat /proc/cpuinfo to see the contents of the file. AMD EPYC 7542, 7642, 7702, and 7F72 are the Zen 2 CPU models used in our fleet:
$ cat /proc/cpuinfo processor : 0 vendor_id : AuthenticAMD cpu family : 23 model : 49 model name : AMD EPYC 7642 48-Core Processor
Option 2: install cpuid
The cpuid command allows you to query the Linux kernel for information about the CPU on which your system is currently running (as opposed to the CPU you last booted on). You may need to install cpuid with your distribution’s package manager before proceeding.
Note that cpuid may not report the correct CPU model name on CentOS 7. CentOS 6/7 users should use /proc/cpuinfo.
Debian/Ubuntu installation instructions
apt update apt install cpuid -y
CentOS 8/9 installation instructions
# Enable the EPEL repo if it’s not already installed yum install epel-release # Install cpuid yum update yum install cpuid -y
Once installed, simply type
cpuid from the command line to inspect your server’s currently running CPU. Servers running on AMD Zen 2 CPUs are running on hosts that were vulnerable to Zenbleed:
cpuid output on a vulnerable (Zen 2) CPU:
CPU 0: vendor_id = "AuthenticAMD" version information (1/eax): processor type = primary processor (0) family = 0xf (15) model = 0x1 (1) stepping id = 0x0 (0) extended family = 0x8 (8) extended model = 0x3 (3) (family synth) = 0x17 (23) (model synth) = 0x31 (49) (simple synth) = AMD (unknown type) (Castle Peak/Rome B0) [Zen 2], 7nm
My server was on a vulnerable (Zen 2) CPU. What can I do?
Customers who discover they were running on vulnerable Zen 2 CPUs may wish to rotate any secrets stored on their server, such as TLS private keys, API keys or other application secrets, application user passwords, or SSH keys. The exact details of what you may need to rotate will depend on the nature of the services running on your server.