Information about Meltdown and Spectre vulnerability fixes
72 Ansichten
15.07.2020 
Cloud / Dedicated Server (Bare Metal)
(this table reflects the situation at a given moment and is constantly evolving.)
Introduction
As we communicated, OVH has been informed of the Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) security vulnerabilities, making a large part of computer equipment in operation vulnerable to potential attacks, particularly those equipped with Intel CPUs.
Our technical teams are currently continuing to work on securing OVH infrastructures in order to minimize the exposure of your services to these vulnerabilities.
Restarting of some services has already begun, so that we can apply the first tested and approved stability patches to our systems, both in the operating systems of the machines and their kernel as well as in the microcode.
What should you do?
Some services, which are entirely managed by OVH, will not require any manipulation on your part: Domains, Metrics and Logs Data Platform, xDSL, VoIP, DBaaS, OVH Load Balancer, vRack, Exchange, MX Plan, Web Hosting, Cloud Desktop, VDI, CDN, Swift, CEPH, NAS-HA, Public Cloud Storage and Public Cloud Archive.
OVH is working to secure the infrastructures concerned, applying the patches provided by the operating system and motherboard vendors as they become available. Some operations require a reboot of the machine, which could cause an interruption of service for a short time.
Securing certain other services such as dedicated servers, Public Cloud instances, VPS or Private Cloud will require additional action on your part, consisting of applying the recommended update of the operating system vendor of your servers.
Here is :
- General information about these vulnerabilities ;
- A detailled list of all OVH products and all actions in progress and/or actions you need to do (please read carefully this section)
To help you, we also offer you a non-exhaustive table listing the updates available for the main versions of the operating systems.
General informartion
|
|
Spectre - Variant 1 *** Bounds Check Bypass (CVE-2017-5753) |
Spectre - Variant 2 *** Branch Target Injection (CVE-2017-5715) |
Meltdown *** Rogue Data Cache Load Meltdown (CVE-2017-5754) |
|---|---|---|---|
|
|
Spectre - Variant 1 *** Bounds Check Bypass (CVE-2017-5753) |
Spectre - Variant 2 *** Branch Target Injection (CVE-2017-5715) |
Meltdown *** Rogue Data Cache Load Meltdown (CVE-2017-5754) |
| Linux |
Status : DONE Most distributions have recompiled their Kernel using LFENCE instruction. Softwares need to be recompiled with a patched compiler using LFENCE instruction to stop speculation. |
Mitigation 1: IN PROGRESS Two conditions to be protected, A and B: A) boot the OS with the new microcodes to activate new flags in CPU (the SPEC_CTRL and PRED_CMD MSRs). Two ways to do this: Option.1) charge microcode after BIOS and at the very beginning of kernel boot. The new microcode has to be loaded to the CPU each time the OS starts. Option.2) upgrade BIOS, so BIOS will load new microcode in CPU, before the OS boot phase. Once the BIOS is upgraded, the system will load with new microcode automatically. IN PROGRESS OVH already released any microcode and BIOS that vendors provided. B) Install a kernel that is integrating the new IBRS and IBPB patches that are using the new CPU MSR, made available by the microcode update in A) to successfully mitigate the vulnerability. On Linux, those patches have been integrated in latest kernels (4.14.14 as well as 4.9.77), and they have been compiled with a GCC with retpoline support. DONE
Openstack KVM/Qemu:
Mitigation 2: DONE Patch compilers to avoid any indirect jump and use a static trampoline (aka retpoline) gcc have a pending patch to introduce this feature. But if you recompile the kernel with this, it'll fix only the kernel itself. If the kernel is fixed, you'll not be able to read kernel memory, but you'll still be able to read other process memory. All software have to be recompiled with mitigation to be secured. https://lkml.org/lkml/2018/1/3/780 https://googleprojectzero.blogspot.fr/2018/01/reading-privileged-memory-with-side.html GCC patches for retpoline: http://git.infradead.org/users/dwmw2/gcc-retpoline.git/shortlog/refs/heads/gcc-7_2_0-retpoline-20171219 |
Status: DONE Kernel patch to isolate kernel space and user space (aka KPTI). It is available in kernel vanilla 4.14.11+, 4.9.75+, 4.4.110+ Linux distributions are backporting the patches themselves in their own kernel versions, refer to our list of patches available per distribution for more information. |
| Windows |
Status: DONE Softwares need to be recompiled with a patched compiler using LFENCE instruction to stop speculation. |
Two conditions to be protected, A and B:
A) boot the OS with the new microcodes to activate new flags in CPU (the SPEC_CTRL and PRED_CMD MSRs), there are 2 ways to do this:
A.Option.1) charge microcode after BIOS and at the very beginning of kernel boot. In progress with Windows. A.Option.2) upgrade BIOS, so BIOS will load new microcode in CPU, before the OS boot phase. Once the BIOS is upgraded, the system will load with new microcode automatically. Works with all OS. IN PROGRESS OVH already released any microcode and BIOS that vendors provided.
B) Install the latest Windows security updates that integrates the patches that are using the new CPU MSR, made available by the microcode update in A) to successfully mitigate the vulnerability. Note that you must also have a compatible Antivirus for this security install to be available, refer to the OS matrix for details.
Status: DONE refer to the OS matrix for details
|
Status: DONE |
| BSD |
Status per OVH services and products
|
SERVICE
|
PRODUCT
|
|
WHAT HAS TO BE DONE By Who ? |
Spectre - Variant 1 *** Bounds Check Bypass (CVE-2017-5753) |
Spectre - Variant 2 *** Branch Target Injection (CVE-2017-5715) |
Meltdown *** Rogue Data Cache Load Meltdown (CVE-2017-5754) |
|---|---|---|---|---|---|---|
|
SERVICE
|
PRODUCT
|
|
WHAT HAS TO BE DONE By Who ? |
Spectre - Variant 1 *** Bounds Check Bypass (CVE-2017-5753) |
Spectre - Variant 2 *** Branch Target Injection (CVE-2017-5715) |
Meltdown *** Rogue Data Cache Load Meltdown (CVE-2017-5754) |
| Cloud IaaS |
Dedicated Server (aka Baremetal) | KS, SYS, SP, MG, EG, HG, FS, GAME | Service update (OVH side) |
Status: PROTECTABLE |
Status: IN PROGRESS Linux:
Windows:
|
Status: PROTECTABLE
Linux : 4.14.14 and 4.9.77 are available via Netboot Windows: Microsoft proposes the patch. |
| Cloud IaaS |
Dedicated Server (aka Baremetal) | KS, SYS, SP, MG, EG, HG, FS, GAME |
OS Update (Customer action needed) |
Linux: PROTECTABLE Linux : 4.14.14 and 4.9.77 are available via Netboot : please update your kenel or use Netboot.
Windows: PROTECTABLE Clic here for more information
| ||
| Cloud IaaS |
Public Cloud (aka PCI) | OpenStack KVM |
Service update (OVH side) |
OS: PROTECTED
VM to KVM: PROTECTED (variant 1 doesn't cross VM boundaries) VM to VM: PROTECTED (variant 1 doesn't cross VM boundaries) |
Microcode: IN PROGRESS OS: DONE VM to KVM: PROTECTED
VM to VM: PROTECTED
MSR exposed to VM: DONE update from KVM |
PROTECTED KVM is not impacted. |
| Cloud IaaS |
Public Cloud (aka PCI) | OpenStack KVM |
VM's OS update (Customer action needed)
|
PROTECTED KVM is not impacted. | ||
| Cloud IaaS | VPS | 2014 powered by pCC |
Service update (OVH side) |
OS: IN PROGRESS
VM to ESXi: PROTECTED (variant 1 doesn't cross VM boundaries) VM to VM: PROTECTED (variant 1 doesn't cross VM boundaries) |
OS: PROTECTED
VM to ESXi: PROTECTED
VM to VM: PROTECTED |
OS: PROTECTED
VM to ESXi: PROTECTED
VM to VM: PROTECTED |
| Cloud IaaS | VPS | 2014 powered by pCC | CUSTOMER |
Managed by OVH (line above) |
Managed by OVH (line above) |
Managed by OVH (line above)
|
| Cloud IaaS | VPS | 2016 powered by pCI |
Service update (OVH side) |
OS: IN PROGRESS
VM to KVM: PROTECTED (variant 1 doesn't cross VM boundaries) VM to VM: PROTECTED (variant 1 doesn't cross VM boundaries) |
Microcode: IN PROGRESS OS: DONE VM to KVM: WAIT Cloud-IaaS/Baremetal VM to VM: WAIT Cloud-IaaS/Baremetal
MSR exposed to VM: DONE update from KVM |
PROTECTED KVM is not impacted. |
| Cloud IaaS | VPS | 2016 powered by pCI |
VM's OS update (Customer action needed) | |||
| Cloud IaaS |
Private Cloud (aka PCC) | vSphere 4.1/5.0/5.1/5.5 | Service (OVH/CUSTOMER) |
IN PROGRESS There is no patch to protect vSphere 4.1/5.0/5.1, OVH advices the customer to upgrade pCC to vSphere 6.0/6.5. It's free. vSphere 5.5 is vulnerable, waiting for VMware to patch. No ETA. |
There is no patch to protect vSphere 4.1/5.0/5.1, Ovh advices the customer to upgrade pCC to vSphere 6.0/6.5. It's free. vSphere 5.5 : PROTECTED |
There is no patch to protect vSphere 4.0/4.1/5.0/5.1/5.5, Ovh advices the customer to upgrade pCC to vSphere 6.0/6.5. It's free. VMware can propose the patch for vSphere 5.5. No ETA. |
| Cloud IaaS |
Private Cloud based on AMD hosts (aka PCC)
| vSphere 6.0/6.5 |
Service update (OVH side) All host : 100% patched |
OS: PROTECTED
VM to KVM: PROTECTED VM to VM: PROTECTED
|
OS: PROTECTED
VM to ESXi: PROTECTED VM to VM: PROTECTED |
PROTECTED AMD is not vulnerable (AMD statement URL) |
| Cloud IaaS |
Private Cloud based on AMD hosts (aka PCC) | vSphere 6.0/6.5 |
VM's OS update (Customer action needed) |
PROTECTED AMD is not vulnerable (AMD statement URL) | ||
| Cloud IaaS |
Private Cloud based on Intel hosts (aka PCC) | vSphere 6.0/6.5 |
Service update (OVH side) https://hosted-private-cloud.status-ovhcloud.com/incidents/89jqnyth2113 All host : 100% patched |
OS: PROTECTED
VM to ESXi: PROTECTED VM to VM: PROTECTED |
OS: PROTECTED
VM to ESXi: PROTECTED VM to VM: PROTECTED
MSR exposed to VM: WAIT update from VMware |
OS: PROTECTED
VM to ESXi: PROTECTED
VM to VM: PROTECTED
|
| Cloud IaaS |
Private Cloud based on Intel hosts (aka PCC) | vSphere 6.0/6.5 |
VM's OS update (Customer action needed) | |||
| Cloud IaaS |
Cloud Desktop aaS (aka VDI) | Horizon 7 aaS |
Service update (OVH side) https://bare-metal-servers.status-ovhcloud.com/incidents/t3py38ybz4fx
|
OS: PROTECTED
VDI to ESXi: PROTECTED
VDI to VDI: PROTECTED |
OS: PROTECTED
VDI to ESXi: IN PROGRESS
VDI to VDI: PROTECTED
MSR exposed to VDI: WAIT update from VMware |
OS: PROTECTED
VDI to ESXi: PROTECTED
VDI to VDI:PROTECTED
|
| Cloud IaaS |
Cloud Desktop aaS (aka VDI) | Horizon 7 aaS | CUSTOMER | Managed by OVH (see line above) | Managed by OVH (see line above) | Managed by OVH (see line above) |
| Cloud IaaS | Private Cloud Desktop | Horizon 7 over pCC |
Service update (OVH side) https://hosted-private-cloud.status-ovhcloud.com/incidents/89jqnyth2113 |
OS: PROTECTED
VDI to ESXi: PROTECTED
VDI to VDI: PROTECTED |
OS: PROTECTED
VDI to ESXi: IN PROGRESS
VDI to VDI: PROTECTED
MSR exposed to VDI: WAIT update from VMware |
OS: PROTECTED
VDI to ESXi: IN PROGRESS
VDI to VDI:PROTECTED
|
| Cloud IaaS | Private Cloud Desktop | Horizon 7 over pCC | CUSTOMER | Managed by OVH (see line above) | Managed by OVH (see line above) | Managed by OVH (see line above) |
| Cloud IaaS | CaaS | Container aaS / Mesos / Docker | Service update (OVH side) |
Linux: WAIT Cloud-IaaS/Baremetal |
Linux: WAIT Cloud-IaaS/Baremetal |
Status: DONE |
| Cloud IaaS | CaaS | Container aaS / Mesos / Docker | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Cloud storage |
Object Storage (aka PCS) | Openstack Swift | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Cloud storage |
Object Storage (aka PCS) | Openstack Swift | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Cloud storage | Block Storage | Ceph | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Cloud storage | Block Storage | Ceph | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Cloud storage | NAS | NFS/ZFS | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Cloud storage | NAS | NFS/ZFS | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Cloud storage | vRack (L2) | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED | |
| Cloud storage | vRack (L2) | CUSTOMER | Nothing to do | Nothing to do | Nothing to do | |
| Cloud network | IP LB | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED | |
| Cloud network | IP LB | CUSTOMER | Nothing to do | Nothing to do | Nothing to do | |
| Cloud network | vRouter | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED | |
| Cloud network | vRouter | CUSTOMER | Nothing to do | Nothing to do | Nothing to do | |
| Cloud network | Dedicated Connect (L2) | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED | |
| Cloud network | Dedicated Connect (L2) | CUSTOMER | Nothing to do | Nothing to do | Nothing to do | |
| Cloud network | vRack Connect (L3) | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED | |
| Cloud network | vRack Connect (L3) | CUSTOMER | Nothing to do | Nothing to do | Nothing to do | |
| Cloud PaaS | DBaaS | MySQL | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Cloud PaaS | DBaaS | MySQL | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Cloud PaaS | DBaaS | PgSQL | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Cloud PaaS | DBaaS | PgSQL | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Cloud PaaS | DataPlateform Metric | Warp 10™, OpenTSDB, Prometheus, InfluxDB Graphite | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Cloud PaaS | DataPlateform Metric | Warp 10™, OpenTSDB, Prometheus, InfluxDB Graphite | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Cloud PaaS | DataPlateform Logs | Elastic Search | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Cloud PaaS | DataPlateform Logs | Elastic Search | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Web and Telecom | Domain Name | DNS | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Web and Telecom | Domain Name | DNS | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Web and Telecom | Domain Name | AnyCast | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Web and Telecom | Domain Name | AnyCast | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Web and Telecom |
Web Hosting (aka Shared Hosting) | LXC |
Service update (OVH side) https://web-cloud.status-ovhcloud.com/incidents/zkngm354nk96 |
Status: DONE |
Status: DONE |
Linux: PROTECTED |
| Web and Telecom |
Web Hosting (aka Shared Hosting) | LXC | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Web and Telecom | Mxplan | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED | |
| Web and Telecom | Mxplan | CUSTOMER | Nothing to do | Nothing to do | Nothing to do | |
| Web and Telecom | Exchange | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED | ||
| Web and Telecom | Exchange | CUSTOMER | Nothing to do | Nothing to do | Nothing to do | |
| Web and Telecom | Collaborative Tools | Sharepoint / OneDrive | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED | |
| Web and Telecom | Collaborative Tools | Sharepoint / OneDrive | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Web and Telecom | xDSL | ADSL, SDSL, VDSL | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Web and Telecom | xDSL | ADSL, SDSL, VDSL | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Web and Telecom | xDSL | OTB | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Web and Telecom | xDSL | OTB | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Web and Telecom | VoIP | SIP Softphone | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Web and Telecom | VoIP | SIP Softphone | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Web and Telecom | VoIP | SIP/MGCP Hardphone | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Web and Telecom | VoIP | SIP/MGCP Hardphone | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
| Web and Telecom | SMS/FAX | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED | |
| Web and Telecom | SMS/FAX | CUSTOMER | Nothing to do | Nothing to do | Nothing to do | |
| Web and Telecom | hubiC | Based on PCS | Service update (OVH side) |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
Status: NOT EXPOSED |
| Web and Telecom | hubiC | frontend, apps, desktop | CUSTOMER | Nothing to do | Nothing to do | Nothing to do |
Einen Dedicated Server absichern
4248