이번 주 인텔은 "좀비로드"라고도 하는 마이크로 아키텍처 데이터 샘플링(MDS)으로 알려진 프로세서 취약점 그룹을 공개했습니다. MDS는 다양한 보안 도메인및/또는 시스템 소유자가 Linode의 인프라및 리노드 를 포함하는 완전히 신뢰하지 않는 시스템에 영향을 미칩니다. 이 가이드에는 이러한 취약점과 완화에 대한 추가 세부 정보가 있습니다.
우리는 완화 노력을 시작했으며 앞으로 몇 주 안에 함대의 완전한 완화를 기대했습니다. 이러한 완화 노력에는 실행 중인 시스템에 중단이 필요할 수 있지만 지원 티켓을 통해 고객이 요구하는 예정된 유지 보수 또는 조정을 명확하게 전달할 것입니다.
이러한 취약점을 해결하기 위해 완화가 있는 새 커널(5.1.2)을 릴리스했기 때문에 Linode의 구성 프로필에서 이 커널을 선택한 다음 다시 부팅해야 합니다. 배포제공 커널을 사용하는 경우 커널을 그에 따라 업그레이드해야 합니다. 언제나 처럼, 당신은 또한 당신의 Linode 최신 및 보안확인 해야합니다.
완화 노력을 진행하면서 앞으로 몇 주 안에 계속 업데이트할 것입니다.
댓글 (13)
Is the “Latest 64-bit” Kernel going to be sufficient or do all servers need to be using the 5.x kernel?
Hey, Jim. At the moment, the “Latest 64-bit” kernel is not patched for MDS — we’ve delayed changes due to a kernel bug involving inaccurate ‘uptime’ reports. We instead recommend booting into 5.1.2-x86_64-linode124 for 64-bit systems, or 5.1.2-x86-linode144 for 32-bit systems. Once the kernel bug has been completely resolved, you could then switch back to the “Latest”.
Linode offer two 5.1.2 kernels. One is 5.1.2-x86-linode144 and caused kernel panic on Debian 9. 5.1.2-x86_64-linode124 works. Thanks to support for guiding me to this point. It should be added to the post here.
Hi there, John. The 5.1.2-x86-linode144 kernel is designed for 32-bit systems. It will not work properly on 64-bit systems. For 64-bit systems you will want to use the 5.1.2-x86_64-linode124 kernel. For all 64-bit systems you will want to look for the kernels that include “_64” in the title.
Any particular reason for the “latest-kernel” to stuck at 4.18.6 ?
Update?
Great and useful post, Thanks for sharing
Bookmarking the blog for future reference.
What is the expected performance impact of the mitigation?
Viktor: We don’t anticipate performance impacts coming from ZombieLoad mitigation. However, disabling HyperThreading as part of our mitigation strategy for speculative operation vulnerabilities poses a clear challenge regarding performance, so accordingly we’ve been working to minimize its impact on our platform. (You can find more discussion on HyperThreading here.)
If you’re seeing degraded performance on any of your Linodes, please reach out to us so we can help investigate and find a solution.
Can we use the new kernel for Debian 7 machines?
Hi Mike – Yes. No issues with our latest kernel and Debian 7. I’d recommend reading through our Reboot Survival guide, though, if it’s been awhile since you’ve needed to reboot some of your machines:
> https://www.linode.com/docs/guides/reboot-survival-guide/
If you’ve regularly kept your server up to date, issued reboots periodically and have always used the latest kernel, you’re more likely to be okay if you continue to use it. Having a restore plan in place in the event anything goes wrong is always recommended, though, since there are a lot of variables at play.
Other posts mentioned a live-migration capability now. That doesn’t work for host updates?
Are you moving towards the only needed reboots to be for upgrade/downgrades and updating our kernel?
Hi Avi – Technically speaking, for small scale host updates, live migrations would work. Though since CPU vulnerability mitigation is a much larger effort, it’s logistically more efficient to cold migrate servers to patched hosts, or apply the needed patches during the maintenance window. As for your second question:
> Are you moving towards the only needed reboots to be for upgrade/downgrades and updating our kernel?
Yes, though this is a long term effort, and I don’t have anything immediate to share regarding an ETA.