17 Jan FINALLY! How to solve the Meltdown & Spectre vulnerabilities on Oracle Linux, Oracle VM and Microsoft Windows
IMPORTANT UPDATE (January 31st 2018)
both hardware and software vendors released patches for the Metldown and Spectre vulnerabilities. However, after a while they all found out the performance impact was bigger than expected. In some cases the patched systems even started to reboot unexpectedly from time to time. That’s why most vendors ask to wait to patch until they’ve released new version of their patches. Oracle patches are available, but customers should test carefully before deploying to their production environments! We’ll provide an update via this article as soon as stable patching is available.
For some of the bigger hardware and software vendors, 2018 started immediately with 2 big challenges, or should we say 3? Challenges to tackle: Meltdown (CVE-2017-5754) & Spectre (CVE-2017-5753 and CVE-2017-5715).
This time it was a hard one to fix for all parties, as some early updates to neutralize the vulnerabilities ended up with serious performance degradation and boot issues.
However, finally they have now released updates to solve both vulnerabilities. The fix will always have some performance impact, so it should be tested carefully. This short article describes what should be done.
First for the users of Oracle Linux and/or Oracle VM:
Oracle released the fixes together with the Critical Patch Update of January 2018 (see link below). Oracle MOS note 2347948.1 provides some more information and links to the fixes. As we speak (January 17th 2018) the fixes on Oracle Linux are only available for Oracle Linux 6 and 7 and only for the Red Hat Compatible Kernel (RHCK) and Unbreakable Enterprise Kernel 4 (UEK4). The other versions are still pending, so Oracle is looking into it to provide a fix (if a fix will be provided for older versions, Linux 5, UEK2, UEK3) (UPDATE January 31st 2018: fixes for UEK2, UEK3 and UEK2 are available now for Linux 5, Linux 6 and Linux 7). Important to know: For those who have Ksplice configured, the fixes cannot be applied using zero-downtime patching. Therefore, it should be performed during a maintenance window and after testing.
What you should do for Oracle Linux:
- Option 1 (preferred option): upgrade your entire OS using yum (yum update)
- Option 2: install (not upgrade) the new kernel and other packages as listed on following pages (as listed within Oracle note 2348448.1):
- https://linux.oracle.com/errata/ELSA-2018-4004.html (will be overruled by ELSA-2018-4006, so this one can be skipped)
Same story for Oracle VM, where the fix is currently only available for Oracle VM version 3.4.
What you should do for Oracle VM:
- Option 1 (preferred option): upgrade your entire Oracle VM server using yum (yum update)
- Option 2: install (not upgrade) the new kernel and other packages as listed on following pages (as listed within Oracle note 2348460.1):
Secondly, Microsoft Windows users should do following:
If you want to have the fix applied, just install the latest Windows Updates and make sure the KB created for your Windows version is listed to be installed (Updates will be pushed towards your system if it has been configured this way). For the list of KB patches which should be installed for each specific Windows version, please check: https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown.
Don’t forget it’ll have a performance impact, so first carefully test the impact for your system. If you do not want to install the fixes/updates that’s perfectly possible. Only think about the fact you’ll stay vulnerable.
At last, also do not forget to check with your hardware vendor if also the firmware should be upgraded or not.
Hopefully you all have the information needed now to solve the vulnerabilities on your servers. Monin can always help customers to apply the fixes mentioned before. Just ask us for more information about how we can help you securing your Red Hat Linux, Oracle Enterprise Linux and or Microsoft Windows so it’s patched for Meltdown & Spectre vulnerabilities. Contact us by phone: +32 3 450 67 89, via e-mail: firstname.lastname@example.org or by filling in the form on this page.
Some interesting links:
- A more detailed description of both vulnerabilities: https://meltdownattack.com/
- More info about the Oracle Critical Patch Update for January 2018: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- More info about Microsoft Windows fixes for Meltdown and Spectre: https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown