What You Need to Do to Mitigate Meltdown and Spectre

Updated by Linode

Contribute on GitHub

Report an Issue | View File | Edit File

Summary

Virtually every processor manufactured in the last 23 years is potentially affected by two recently discovered processor vulnerabilities: Meltdown and Spectre. Linode is continuing to implement patches on datacenter equipment. In the meantime, update your Linux kernel and reboot to help protect your system.

FAQ

Can this maintenance be postponed or rescheduled?

No. Due to the critical nature and logistical requirements of these updates, we aren’t able to reschedule or push back the provided maintenance windows. Our team is working around the clock to have our infrastructure patched against the Meltdown and Spectre vulnerabilities as quickly as possible.

Can I start this maintenance early?

No. Unlike our scheduled migrations, you won’t be able to initiate the maintenance early.

What’s Linode’s current status on patching these vulnerabilities?

Our current infrastructure status for each vulnerability is listed in our Meltdown and Spectre document found in the chart below.

What does “Phase Complete” in the Linode Manager mean?

Maintenance for the Meltdown and Spectre vulnerabilities is happening in multiple phases, which are described in our Meltdown and Spectre document found here. As each phase is completed for the physical host on which your Linode resides, we will display progress updates in the Linode Manager.

To fully mitigate the Meltdown and Spectre vulnerabilities, additional maintenance will be required in the future. When the future maintenance has been scheduled, we will provide additional information.

You can find more information and stay updated on our progress by checking out the What Should I Do? section below.

When will the next maintenance phase take place?

We don’t yet have an ETA on when the next round of maintenance will begin. Once we do, we’ll provide additional information in the Linode Manager, as well as through Support tickets.

Is there anything that I need to do?

Yes. To further protect your Linode, we strongly recommend that you verify it is configured to boot using the 4.14.11 or newer kernel, which includes patches to help address these vulnerabilities. If your Linode’s Configuration Profile is set to utilize our latest kernel, your kernel will automatically be updated to the patched version upon rebooting.

Can I reboot my Linode with the new kernel to avoid the maintenance?

Yes, but while rebooting with the new kernel will help prepare your Linode for the upcoming maintenance and help protect you against Meltdown, it will not replace the need for this maintenance. In order to fully address the vulnerabilities, we will need to perform maintenance on our infrastructure as scheduled. We will update the status of our maintenance phases within the Linode Manager and in the chart below.

What Should I Do?

Linode Infrastructure Status

ExploitFixInformation
MeltdownIn progressPatching in progress.
Spectre-V1NoNo patch is available yet.
Spectre-V2NoNo patch is available yet.

What does this mean for Linode Customers?

The last two weeks have seen the tech world buzzing about two recently revealed processor vulnerabilities, Meltdown and Spectre. These are extremely complex vulnerabilities, and the extent of affected hardware is not yet fully known. In short, they allow cached information in your system’s memory to be read by an attacker.

Virtually all devices, including Linode servers, are potentially vulnerable to one or both of these exploits.

Intel processors are the most susceptible, though Meltdown affects ARM chips as well while Spectre can potentially be exploited on any processor type. See meltdownattack.com for the technical details on these vulnerabilities.

Meltdown

The Linux kernel source code was patched for Meltdown on January 2, 2018 with the release of 4.14.11. Earlier this week, Linode began updating its host systems with a patched kernel.

For your Linode to be secure against Meltdown, both our hosts and your Linode need to be patched.

The Linode Latest kernel was upgraded accordingly and 4.14.12 is currently available. If you use the Linode kernel, reboot into 4.14.11 or later to help secure your Linode against Meltdown.

How to Reboot into an Updated Linode Kernel

  1. Go to your Linode’s dashboard and edit your configuration profile.

  2. Under Boot Settings, select Latest 64 Bit.

  3. Reboot your Linode and verify your kernel version:

    root@localhost:~# uname -r
    4.14.12-x86_64-linode92
    

How to Update a Distribution-Supplied Kernel

If you boot your Linode using the GRUB or Direct Disk boot setting, your kernel is supplied by your distribution’s maintainers, not Linode. If you’ve compiled your own kernel, you’ll need to recompile using the 4.14.11 or later source code.

  1. Update your kernel to the latest available version using the distribution’s package manager:

    CentOS

    sudo yum update kernel
    

    Debian

    sudo apt-get update
    sudo apt-get upgrade linux-base
    

    Ubuntu

    sudo apt-get update
    sudo apt-get upgrade linux-image
    
  2. Reboot your system. When it comes back up, use the command uname -r to verify you are running the new kernel against the patched version given in your distribution’s security bulletin (see links below). This is also the recommended mitigation path for any hardware you use at home: your laptop, network hardware, and home servers.

    Centos 6 (see the Overview tab), Centos 7, Debian, Ubuntu.

Spectre

Where Meltdown is a specific attack implementation, Spectre targets the way modern CPUs work, regardless of speculative execution. Nearly all computing platforms manufactured since 1995 are vulnerable to Spectre, including non-x86 systems such as ARM, IBM PowerSystems, and other architectures.

Intel is currently developing microcode updates to mitigate Spectre, and there is a Linux kernel patch (IBRS) also in development. When these are available, we’ll apply both to our hosts and notify customers of the updates.

How does the Meltdown patch affect me?

As a result of the mitigation put in place by the Linux kernel, there may be a small reduction in performance. The performance impact greatly depends on whether your workload is heavy on system calls and disk I/O. This applies to any system with an affected CPU, regardless of whether it is cloud-based or not.

How can I stay updated with Linode’s progress?

The Linode blog will be updated daily with our progress of the fleet reboot, patches and other related issues.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

comments powered by Disqus

This guide is published under a CC BY-ND 4.0 license.