Basics of Spectre and Meltdown Video

stacksofplates

Both the Red Hat checker and another checker written by someone else show CentOS as patched against variant 1 and Fedora as not for either.

CentOS 7.4:

Fedora 27:

stacksofplates

The Red Hat one shows vulnerable for Meltdown but it lets you know it may give you wrong information if it's not RHEL or CentOS.

Obsolesce

Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.

Anyways:

Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.

https://github.com/hannob/meltdownspectre-patches

Obsolesce

@emad-r said in Basics of Spectre and Meltdown Video:

especially the ppl that use Ubuntu as KVM server .

https://www.qemu.org/2018/01/04/spectre/
https://marc.info/?l=kvm&m=151543506500957&w=2

stacksofplates

@tim_g said in Basics of Spectre and Meltdown Video:

Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.

Anyways:

Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.

https://github.com/hannob/meltdownspectre-patches

ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.

Obsolesce

@stacksofplates said in Basics of Spectre and Meltdown Video:

@tim_g said in Basics of Spectre and Meltdown Video:

Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.

Anyways:

Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.

https://github.com/hannob/meltdownspectre-patches

ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.

Is CentOS is missing the Meltdown microcode fix? (according to your above screenshot)

stacksofplates

@tim_g said in Basics of Spectre and Meltdown Video:

@stacksofplates said in Basics of Spectre and Meltdown Video:

@tim_g said in Basics of Spectre and Meltdown Video:

Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.

Anyways:

Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.

https://github.com/hannob/meltdownspectre-patches

ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.

But CentOS is missing the Meltdown microcode fix? (according to your above screenshot)

No. Top two images are CentOS. They show variants 1 and 3 are mitigated. The second two images are Fedora. Both show vulnerable for variants 1 and 2. The fourth image is the RHEL check and shows vulnerable for Meltdown but I'm assuming that's because it's a RHEL specific check and it's a kernel the check isn't expecting.

The first and third image are the non-RHEL created checks. The second and fourth are made by RHEL.

Obsolesce

@stacksofplates said in Basics of Spectre and Meltdown Video:

@tim_g said in Basics of Spectre and Meltdown Video:

@stacksofplates said in Basics of Spectre and Meltdown Video:

@tim_g said in Basics of Spectre and Meltdown Video:

Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.

Anyways:

Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.

https://github.com/hannob/meltdownspectre-patches

ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.

But CentOS is missing the Meltdown microcode fix? (according to your above screenshot)

No. Top two images are CentOS. They show variants 1 and 3 are mitigated. The second two images are Fedora. Both show vulnerable for variants 1 and 2. The second image is the RHEL check and shows vulnerable for Meltdown but I'm assuming that's because it's a RHEL specific check and it's a kernel the check isn't expecting.

The first and third image are the non-RHEL created checks. The second and fourth are made by RHEL.

Ahh I see.

Obsolesce

And so we wait on Fedora...

https://docs.ovh.com/fr/dedicated/meltdown-spectre-kernel-update-per-operating-system/

stacksofplates

@tim_g said in Basics of Spectre and Meltdown Video:

@stacksofplates said in Basics of Spectre and Meltdown Video:

@tim_g said in Basics of Spectre and Meltdown Video:

@stacksofplates said in Basics of Spectre and Meltdown Video:

@tim_g said in Basics of Spectre and Meltdown Video:

Spectre is still all theoretical at this point from what I understand, much harder to mitigate and exploit than Meltdown.

Anyways:

Fedora - Fixed in FEDORA-2018-8ed5eff2c0 (Fedora 26) and FEDORA-2018-22d5fa8a90 (Fedora 27).
Update - Wed 10 Jan 2018, 08:00 UTC Fedora has pushed to testing new microcode_ctl packages for F26 and F27. They contain the update to upstream 2.1-15.20180108 and include fix for Spectre.

https://github.com/hannob/meltdownspectre-patches

ok? It doesn't matter how difficult it is to leverage. The point was RHEL/CentOS had a fix out in 24 hours. Fedora still doesn't have a fix a week and a half later.

But CentOS is missing the Meltdown microcode fix? (according to your above screenshot)

No. Top two images are CentOS. They show variants 1 and 3 are mitigated. The second two images are Fedora. Both show vulnerable for variants 1 and 2. The second image is the RHEL check and shows vulnerable for Meltdown but I'm assuming that's because it's a RHEL specific check and it's a kernel the check isn't expecting.

The first and third image are the non-RHEL created checks. The second and fourth are made by RHEL.

Ahh I see.

Ya that's just an assumption I'm making about the RHEL check because the other shows it's patched. And I had to edit the script and comment out the function that checks if it's anything other than RHEL/CentOS.

dafyre

I'm not too terribly worried about this. I get the concern, and when patches come out, they will definitely get applied. But until there's some remotely exploitable POC stuff out there, it's not going to be too damaging before then, IMO.

scottalanmiller

@dafyre said in Basics of Spectre and Meltdown Video:

I'm not too terribly worried about this. I get the concern, and when patches come out, they will definitely get applied. But until there's some remotely exploitable POC stuff out there, it's not going to be too damaging before then, IMO.

And especially not if you are on your own servers (not shared) or not on Intel, etc. Lots of people affected, a lot of people not so much.

stacksofplates

@scottalanmiller said in Basics of Spectre and Meltdown Video:

or not on Intel,

Spectre is everyone. So my point still stands here.