kops/docs/advisories/spectre-meltdown-kernel-upd...

4.3 KiB

Kernel Update required for "Spectre/Meltdown" issue

NAME Meltdown and Spectre Hardware Issues
Description Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
Related CVE(s) CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
NVD Severity medium (attack range: local)
Document Last Updated January 07,2018

Summary

  • All unpatched versions of linux are vulnerable when running on affected hardware, across all platforms (AWS, GCE, etc)
  • Patches are included in Linux 4.4.110 for 4.4, 4.9.75 for 4.9, 4.14.12 for 4.14.
  • kOps can run an image of your choice, so we can only provide detailed advice for the default image.
  • By default, kOps runs an image that includes the 4.4 kernel. An updated image is available with the patched version (4.4.110). Users running the default image are strongly encouraged to upgrade.
  • If running another image please see your distro for updated images.

CVEs

Three CVEs have been made public, representing different ways to exploit the same underlying speculative-execution hardware issue:

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

The kernel updates that are the subject of this advisory are primarily intended to mitigate CVE-2017-5753 and CVE-2017-5754.

Detecting vulnerable software

If you do not see "Kernel/User page tables isolation: enabled" in dmesg, you are vulnerable.

dmesg -H | grep 'page tables isolation'
      [  +0.000000] Kernel/User page tables isolation: enabled

Impacted Maintained Component(s)

  • Patches were released for the linux kernel 2018-01-05. All images prior to this date likely need updates.
  • The kubernetes/kops maintained AMI is the maintained component that is vulnerable, although this likely affects all users.

Fixed Versions

For the kops-maintained AMIs, the following AMIs contain an updated kernel:

  • kope.io/k8s-1.5-debian-jessie-amd64-hvm-ebs-2018-01-05
  • kope.io/k8s-1.6-debian-jessie-amd64-hvm-ebs-2018-01-05
  • kope.io/k8s-1.7-debian-jessie-amd64-hvm-ebs-2018-01-05
  • kope.io/k8s-1.8-debian-jessie-amd64-hvm-ebs-2018-01-05
  • kope.io/k8s-1.8-debian-stretch-amd64-hvm-ebs-2018-01-05

These are the images that are maintained by the kubernetes/kops project; please refer to other vendors for the appropriate AMI version.

Update Process

For all examples please replace $CLUSTER with the appropriate kOps cluster name.

List instance groups

kops get ig --name $CLUSTER

Update the image for each instance group

Update the instance group with the appropriate image version via a kops edit command or kops replace -f mycluster.yaml.

Preview changes

Perform a dry-run update, verifying that all instance groups are updated.

kops update cluster --name $CLUSTER

Apply changes

Update the cluster configuration, so that new instances will start with the updated image.

kops update cluster --name $CLUSTER --yes

Preview rolling update

Perform a dry-run rolling-update, to verify that all instance groups will be rolled.

kops rolling-update cluster --name $CLUSTER

Roll the cluster

Performing a rolling-update of the cluster ensures that all old instances and replaced with new instances, running the updated image.

kops rolling-update cluster --name $CLUSTER --yes

Resources / Notes