跳到主要内容
博客网络节点英特尔的 MDS(ZombieLoad)CPU 漏洞和 Linode

英特尔的MDS(ZombieLoad)CPU漏洞与Linode

IntelMDSVulnerability_1200x631

本周,英特尔公开披露了一组被称为 微架构数据采样 (MDS)也被称为 "ZombieLoad"。MDS 会影响托管来自不同安全域和/或系统所有者不完全信任的虚拟机的系统,其中包括 Linode 的基础架构和 Linode 本身。 本指南提供了有关这些漏洞及其缓解措施的更多详细信息。

我们已经开始采取缓解措施,预计在未来几周内我们的机队将完全缓解。这些缓解工作可能需要中断您的运行系统,但我们会通过支持票据明确告知客户所需的任何计划维护或协调。

为了解决您端的这些漏洞,我们发布了新的内核(5.1.2),并采取了相应的缓解措施,因此请确保在 Linode 配置文件中选择此内核,然后重新启动。如果您使用的是发行版提供的内核,则需要 升级内核升级内核。与往常一样,您还应确保您的 Linode 是 最新版本安全.

在未来几周内,我们将继续在这里为您提供最新的减灾信息。

评论 (13)

  1. Author Photo

    Is the “Latest 64-bit” Kernel going to be sufficient or do all servers need to be using the 5.x kernel?

    • Author Photo

      Hey, Jim. At the moment, the “Latest 64-bit” kernel is not patched for MDS — we’ve delayed changes due to a kernel bug involving inaccurate ‘uptime’ reports. We instead recommend booting into 5.1.2-x86_64-linode124 for 64-bit systems, or 5.1.2-x86-linode144 for 32-bit systems. Once the kernel bug has been completely resolved, you could then switch back to the “Latest”.

  2. Author Photo

    Linode offer two 5.1.2 kernels. One is 5.1.2-x86-linode144 and caused kernel panic on Debian 9. 5.1.2-x86_64-linode124 works. Thanks to support for guiding me to this point. It should be added to the post here.

    • Author Photo

      Hi there, John. The 5.1.2-x86-linode144 kernel is designed for 32-bit systems. It will not work properly on 64-bit systems. For 64-bit systems you will want to use the 5.1.2-x86_64-linode124 kernel. For all 64-bit systems you will want to look for the kernels that include “_64” in the title.

  3. Author Photo

    Any particular reason for the “latest-kernel” to stuck at 4.18.6 ?

  4. Author Photo
    Benjamin A Blouin

    Update?

  5. Author Photo
    طراحی سایت

    Great and useful post, Thanks for sharing
    Bookmarking the blog for future reference.

  6. Author Photo

    What is the expected performance impact of the mitigation?

    • Author Photo

      Viktor: We don’t anticipate performance impacts coming from ZombieLoad mitigation. However, disabling HyperThreading as part of our mitigation strategy for speculative operation vulnerabilities poses a clear challenge regarding performance, so accordingly we’ve been working to minimize its impact on our platform. (You can find more discussion on HyperThreading here.)

      If you’re seeing degraded performance on any of your Linodes, please reach out to us so we can help investigate and find a solution.

  7. Author Photo

    Can we use the new kernel for Debian 7 machines?

    • Author Photo

      Hi Mike – Yes. No issues with our latest kernel and Debian 7. I’d recommend reading through our Reboot Survival guide, though, if it’s been awhile since you’ve needed to reboot some of your machines:

      > https://www.linode.com/docs/guides/reboot-survival-guide/

      If you’ve regularly kept your server up to date, issued reboots periodically and have always used the latest kernel, you’re more likely to be okay if you continue to use it. Having a restore plan in place in the event anything goes wrong is always recommended, though, since there are a lot of variables at play.

  8. Author Photo

    Other posts mentioned a live-migration capability now. That doesn’t work for host updates?
    Are you moving towards the only needed reboots to be for upgrade/downgrades and updating our kernel?

    • Author Photo

      Hi Avi – Technically speaking, for small scale host updates, live migrations would work. Though since CPU vulnerability mitigation is a much larger effort, it’s logistically more efficient to cold migrate servers to patched hosts, or apply the needed patches during the maintenance window. As for your second question:

      > Are you moving towards the only needed reboots to be for upgrade/downgrades and updating our kernel?

      Yes, though this is a long term effort, and I don’t have anything immediate to share regarding an ETA.

留下回复

您的电子邮件地址将不会被公布。 必须填写的字段被标记为*