What You Need to Do to Mitigate Meltdown and Spectre

Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.

Summary

Virtually every processor manufactured in the last 23 years is potentially affected by two recently discovered processor vulnerabilities: Meltdown and Spectre. Linode is continuing to implement patches on data center equipment. In the meantime, update your Linux kernel and reboot to help protect your system.

FAQ

Can this maintenance be postponed or rescheduled?

No. Due to the critical nature and logistical requirements of these updates, we aren’t able to reschedule or push back the provided maintenance windows. Our team is working around the clock to have our infrastructure patched against the Meltdown and Spectre vulnerabilities as quickly as possible.

Can I start this maintenance early?

No. Unlike our scheduled migrations, you won’t be able to initiate the maintenance early.

What’s Linode’s current status on patching these vulnerabilities?

Our current infrastructure status for each vulnerability is listed in our Meltdown and Spectre document found in the chart below.

What does “Phase Complete” in the Linode Manager mean?

Maintenance for the Meltdown and Spectre vulnerabilities is happening in multiple phases, which are described in our Meltdown and Spectre document found here. As each phase is completed for the physical host on which your Linode resides, we will display progress updates in the Linode Manager.

To fully mitigate the Meltdown and Spectre vulnerabilities, additional maintenance will be required in the future. When the future maintenance has been scheduled, we will provide additional information.

You can find more information and stay updated on our progress by checking out the What Should I Do? section below.

When will the next maintenance phase take place?

We don’t yet have an ETA on when the next round of maintenance will begin. Once we do, we’ll provide additional information in the Linode Manager, as well as through Support tickets.

Is there anything that I need to do?

Yes. To further protect your Linode, we strongly recommend that you verify it is configured to boot using the 4.14.11 or newer kernel, which includes patches to help address these vulnerabilities. If your Linode’s Configuration Profile is set to utilize our latest kernel, your kernel will automatically be updated to the patched version upon rebooting.

Can I reboot my Linode with the new kernel to avoid the maintenance?

Yes, but while rebooting with the new kernel will help prepare your Linode for the upcoming maintenance and help protect you against Meltdown, it will not replace the need for this maintenance. In order to fully address the vulnerabilities, we will need to perform maintenance on our infrastructure as scheduled. We will update the status of our maintenance phases within the Linode Manager and in the chart below.

What Should I Do?

Linode Infrastructure Status

ExploitFixInformation
MeltdownDeployedPatching is complete.
Spectre-V1DeployedPatching is complete.
Spectre-V2DeployedPatching is complete.

Update: Spectre-V2 Patch

The patch for Spectre-V2 has been released for your Linode. You can deploy the Linode-level patch including the newly released Retpoline fix by updating your Linode’s kernel.

If you use a Linode-supplied kernel follow these steps to make sure your Linode has the latest fix. If you use a distribution-supplied kernel, please check your distribution’s website for more information.

Spectre-V2 mitigation is a two-stage process. The second stage is host-level fixes. Host-level patching has been completed across Linode’s entire fleet as of May 22, 2018.

What does this mean for Linode Customers?

Earlier this year, the tech world was buzzing about two processor vulnerabilities, Meltdown and Spectre. These are extremely complex vulnerabilities, and the extent of affected hardware is not yet fully known. In short, they allow cached information in your system’s memory to be read by an attacker.

Virtually all devices, including Linode servers, are potentially vulnerable to one or both of these exploits.

Intel processors are the most susceptible, though Meltdown affects ARM chips as well while Spectre can potentially be exploited on any processor type. See meltdownattack.com for the technical details on these vulnerabilities.

Meltdown

The Linux kernel source code was patched for Meltdown on January 2, 2018 with the release of 4.14.11. Earlier this week, Linode began updating its host systems with a patched kernel.

For your Linode to be secure against Meltdown, both our hosts and your Linode need to be patched.

The Linode Latest kernel was upgraded accordingly and 4.14.12 is currently available. If you use the Linode kernel, reboot into 4.14.11 or later to help secure your Linode against Meltdown.

How to Reboot into an Updated Linode Kernel

  1. Go to your Linode’s dashboard and edit your configuration profile.

  2. Under Boot Settings, select Latest 64 Bit.

  3. Reboot your Linode and verify your kernel version:

    root@localhost:~# uname -r
    4.14.12-x86_64-linode92
    

How to Update a Distribution-Supplied Kernel

If you boot your Linode using the GRUB or Direct Disk boot setting, your kernel is supplied by your distribution’s maintainers, not Linode. If you’ve compiled your own kernel, you’ll need to recompile using the 4.14.11 or later source code.

  1. Update your kernel to the latest available version using the distribution’s package manager:

    CentOS

     sudo yum update kernel
    

    Debian

     sudo apt-get update
     sudo apt-get upgrade linux-base
    

    Ubuntu

     sudo apt-get update
     sudo apt-get upgrade linux-generic
    
  2. Reboot your system. When it comes back up, use the command uname -r to verify you are running the new kernel against the patched version given in your distribution’s security bulletin (see links below). This is also the recommended mitigation path for any hardware you use at home: your laptop, network hardware, and home servers.

    CentOS 6 (see the Overview tab), CentOS 7, Debian, Ubuntu.

Spectre

Where Meltdown is a specific attack implementation, Spectre targets the way modern CPUs work, regardless of speculative execution. Nearly all computing platforms manufactured since 1995 are vulnerable to Spectre, including non-x86 systems such as ARM, IBM PowerSystems, and other architectures.

How does the Meltdown patch affect me?

As a result of the mitigation put in place by the Linux kernel, there may be a small reduction in performance. The performance impact greatly depends on whether your workload is heavy on system calls and disk I/O. This applies to any system with an affected CPU, regardless of whether it is cloud-based or not.

How can I stay updated with Linode’s progress?

The Linode blog will be updated daily with our progress of the fleet reboot, patches and other related issues.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This page was originally published on


Your Feedback Is Important

Let us know if this guide was helpful to you.


Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.
The Disqus commenting system for Linode Docs requires the acceptance of Functional Cookies, which allow us to analyze site usage so we can measure and improve performance. To view and create comments for this article, please update your Cookie Preferences on this website and refresh this web page. Please note: You must have JavaScript enabled in your browser.