Page tree
Skip to end of metadata
Go to start of metadata

This page includes the current information on released updated packages and templates, as well as recommendations related to dealing with the Meltdown and Spectre CPU vulnerabilities. The page will be updated as soon as we have new information for you.

Meltdown and Spectre are bugs in CPU architecture that apply to most modern processors including Intel, AMD and ARM. These issues have been observed on personal computers, mobile devices and in the cloud. These vulnerabilities allow programs to access data that is being processed on the computer. As a result, a malicious program can take advantage of the Meltdown and Spectre vulnerabilities and access data stored in the memory of other running programs. For additional information, refer to Meltdown & Spectre – x86/x64 architecture bug – what you need to know.

General update on Xen

As you may know, there isn't a full mitigation for all CVEs available yet, and the upcoming fixes will not be straightforward. You can keep up to date with proceedings at the Xen Project Blog.

From our side, our priority is ensuring we are in a position to roll in any changes, validate and confirm compatibility as soon as possible once patches which allow full mitigation become available.  In OnApp 5.5 we made changes to interact with CentOS 7 Xen compute resources via Libvirt to unify with how we work with KVM compute resources rather than the native Xen Toolkit (xm/xl). We are now fast-tracking work to do the same for CentOS 6, this will allow us to support newer versions of Xen as it appears unlikely that it will be possible to backport the fixes as far as Xen 4.4 and possibly 4.6.

Currently, we support Xen 4.4 (CentOS 6) and Xen 4.6 (CentOS 7) so we are working as a priority to enable and test support for at least Xen 4.8 and we expect to release these changes as an update to OnApp 5.5 as well as 5.7, the upcoming edge release. We are investigating the Comet mitigation for Meltdown under Xen, although this has not yet been released upstream for our target Xen release (4.8) it is expected in the near future.

Update [Jan 17, 2018 1:51am PT]

  • CloudBoot update for KVM compute resources running CentOS 6 and OnApp 5.0 are now available. For more information refer to OnApp 5.0 CloudBoot KVM Security Update.
  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64

    • Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64

  • Cloudboot KVM Compute Resource (CentOS 6)

  • Cloudboot KVM Compute Resource  (CentOS 7)

    • Updating of images currently in progress

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

  • Cloudboot Xen Compute Resource  (CentOS 7)

    • See 'General update on Xen' above

Update [Jan 15, 2018 08:51pm PT]

  • We've hit some issues in testing the KVM/CentOS 6/OnApp 5.0 combination, we are working on rectifying those and will release the update as soon as all tests have pass successfully.
  • We have tested and verified the latest kernels available for Xen Static compute resources with no issues detected:
    • CentOS 6 - kernel-4.9.75-30.el6.x86_64

    • CentOS 7 - kernel-4.9.75-29.el7.x86_64

    To update run /onapp/onapp-hv-install/onapp-hv-xen-install.sh followed by a reboot for the new kernel to take effect.

  • There are expected to be further kernel updates in the near future to introduce Retpoline which helps to protect against Spectre.
  • We are investigating the Comet mitigation for the Meltdown vulnarability under Xen, this mitigation has not yet been released upstream for our target Xen release (4.8).
  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64

    • Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64

  • Cloudboot KVM Compute Resource  (CentOS 6)

  • Cloudboot KVM Compute Resource  (CentOS 7)

    • Updating of images currently in progress

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

  • Cloudboot Xen Compute Resource  (CentOS 7)

    • See 'General update on Xen' above

Update [Jan 12, 2018 07:08pm PT]

  • Cloudboot updates for KVM compute resources running CentOS6 and OnApp 5.5 are now available. For more information refer to OnApp 5.5 CloudBoot KVM Security Update.

  • Testing of other images will be ongoing over the weekend, all going well, the KVM/CentOS 6/OnApp 5.0 combination will be released on Monday. Further updates to follow then.
  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • See 'General update on Xen' above

  • Cloudboot KVM Compute Resource  (CentOS 6)

  • Cloudboot KVM Compute Resource  (CentOS 7)

    • Updating of images currently in progress

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

  • Cloudboot Xen Compute Resource  (CentOS 7)

    • See 'General update on Xen' above

Update [Jan 12, 2018 12:18pm PT]

  • The new Windows 2012 R2 std win12_x64_std_r2-ver4.5-kvm_virtio.tar.gz KVM template that includes the latest security fixes is now available.

  • The new Windows 2012 R2 std win12_x64_std_r2-ver4.5.tar.gz Xen template that includes the latest security fixes is now available.

 Update [Jan 11, 2018 14:30pm PT]

  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • See 'General update on Xen' above

  • Cloudboot KVM Compute Resource  (CentOS 6)

    • Updated images in testing for 5.0 and 5.5. 

    • We are running compressed test cycles, so far all looks positive and we hope to release as stable in the coming days. 

  • Cloudboot KVM Compute Resource  (CentOS 7)

    • Updating of images currently in progress

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

  • Cloudboot Xen Compute Resource  (CentOS 7)

    • See 'General update on Xen' above

 Update [Jan 11, 2018 7:18am PT]

  • OnApp static KVM compute resources under RHEL/CentOS 6.x should update the qemu-kvm component to the 0.12.1.2-2.503 version to address CVE-2017-5715.

Update [Jan 11, 2018 2:52am PT]

  • To update the OS components of your KVM-based application servers, use the Application Server OS Components Update instructions. It is not yet recommended to update Application Servers running on Xen Hypervisors due to issues booting the latest kernel.

 Update [Jan 10, 2018 7:02am PT]

  • The new СentOS 6.6 ApplicationServer x86_64 template (KVM only) that includes the fixes will be available via Template Server within the next hour. 

Update [Jan 10, 2018 1:45am PT]

Update [Jan 9, 2018 9:52am PT]

  • An updated Debian 8.10 x64 template has been released to address CVE-2017-5754 and should be available shortly.

Update [Jan 9, 2018 8:56am PT]

  • A new Debian 7.0 x64 template has been created to address CVE-2017-5754 and should now be available.

Update [Jan 9, 2018 6:34am PT]

  • The new ubuntu-17.10-x64-1.0-xen.kvm.kvm_virtio.tar.gz template that includes the fixes will be available via Template Server within the next hour. 

Update [Jan 9, 2018 4:05am PT]

  • On the 5th January 2018 Microsoft has updated their patches for Windows 8.1/2012R2 to version 2.

Update [Jan 8, 2018 8:08am PT]

  • The Ubuntu 16.04 x86_64 template for Xen and KVM has been updated and will be available within the next hour. 

Update [Jan 7, 2018 5:55am PT]

  • The Debian 9.3 x86_64 template for Xen and KVM has been updated to address CVE-2017-5754. We are continuing to monitor the Linux distros closely and will continue to release new templates as updates become available. 
  • An updated CloudBoot image for CentOS 6 KVM (OnApp 5.5) has passed basic smoke tests and is currently undergoing a longer, more strenuous testing. Further updates to follow.

Update [Jan 5, 2018 9:05am PT]

  • To summarise relating to Cloud infrastructure:
  • CentOS 7.x Control Panel, Static Backup Servers and Static KVM Compute Resources should be updated to at least kernel version 3.10.0-693.11.6.el7.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes. This can be completed with 'yum update kernel' followed by a reboot.
  • CentOS 6.x Control Panel, Static Backup Servers and Static KVM Compute Resources should be updated to at least kernel version 2.6.32-696.18.7.el6.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes. This can be completed with 'yum update kernel' followed by a reboot.
  • Further updates will be announced relating to Xen Static and Xen and KVM CloudBoot Compute Resources once available. 

Update [Jan 5, 2018 8:42am PT]

  • CentOS 7.4 x86_64 template (KVM only) and Red Hat Enterprise Linux 7.4 x86_64 template (KVM only) have been updated.

Update [Jan 5, 2018 8:12am PT]

  • Virtual Servers running CentOS 7 centosplus are also being reported to have issues booting under Xen with kernel kernel-plus-3.10.0-693.11.6.el7.centos.plus.x86_64, so we would recommend to avoid updating Xen based servers to that kernel at present.

Update [Jan 5, 2018 5:32am PT]

  • Fedora 27 x86_64 template has been added. It is available at templates.repo.onapp.com.
  • A hot migrate to a patched compute resource should be sufficient to ensure that the VS is running the updated libvirt/kvm code. However, the kernel update of the hot migrated VS should still be performed.

Update [Jan 5, 2018 4:00am PT]

  • The CentOS and Red Hat Enterprise Linux Server release 6.x Xen virtual servers are not recommended to upgrade the kernel to the version >= 2.6.32-696.18.7.el6.x86_64. Virtual servers with the new kernel(s) currently appear to be failing to boot.

Update [Jan 4, 2018 8:02am PT]

Update [Jan 4, 2018 6:55am PT]

  • The rhel-6.9-x64-1.3-kvm.kvm_virtio.tar.gz template marked to be KVM only. The new 2.6.32-696.18.7.el6.x86_64 kernel does not boot on Xen.
  • The new centos-6.9-x64-1.3-kvm.kvm_virtio.tar.gz template (KVM only) that includes the fixes will be available via Template Server in an hour.

Update [Jan 4, 2018 3:44am PT]

  • CentOS 7.x KVM Static compute resources should be updated to at least kernel version 3.10.0-693.11.6.el7.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes.
  • CentOS 6.x KVM Static compute resources should be updated to at least kernel version 2.6.32-696.18.7.el6.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes.
  • The new rhel-6.9-x64-1.3-xen.kvm.kvm_virtio.tar.gz template that includes the fixes will be available via Template Server in an hour.
  • Patches to address the issue are available for Win 7, 8.1, 10, Win Server 2008R2, 2012R2, 2016 at the Microsft Security TechCenter portal.
  • No labels