Meltdown and Spectre CPU Issues
This page includes the current information on released updated packages and templates, as well as recommendations related to dealing with the Meltdown and Spectre CPU vulnerabilities. The page will be updated as soon as we have new information for you.
Meltdown and Spectre are bugs in CPU architecture that apply to most modern processors including Intel, AMD and ARM. These issues have been observed on personal computers, mobile devices and in the cloud. These vulnerabilities allow programs to access data that is being processed on the computer. As a result, a malicious program can take advantage of the Meltdown and Spectre vulnerabilities and access data stored in the memory of other running programs. For additional information, refer to Meltdown & Spectre – x86/x64 architecture bug – what you need to know.
General update on Xen
As you may know, there isn't a full mitigation for all CVEs available yet, and the upcoming fixes will not be straightforward. You can keep up to date with proceedings at the Xen Project Blog.
From our side, our priority is ensuring we are in a position to roll in any changes, validate and confirm compatibility as soon as possible once patches which allow full mitigation become available. In OnApp 5.5, we made changes to interact with CentOS 7 Xen compute resources via Libvirt to unify with how we work with KVM compute resources rather than the native Xen Toolkit (xm/xl). In OnApp 5.7, we implemented the same for CentOS 6 to allow us to support newer versions of Xen with minimal codebase changes moving forward.
Currently, we support:
OnApp 5.0 OnApp 5.5
Xen 4.4 (CentOS 6) Xen 4.4 and Xen 4.6 starting with the 5.5.0-75 update (CentOS 6)
Xen 4.6 (CentOS 7)
Updated [Nov 01, 2018 1:05pm, PT]
CloudBoot new 6.0 version that includes the latest kernels has been released to provide more security against Meltdown and Spectre vulnerabilities.
Update [Sept 03, 2018 15:30 PT]
For OnApp 5.5, CloudBoot compute resources are recommended to update to the recent version:
- CloudBoot KVM Compute Resource
- CentOS 6 KVM
kernel 2.6.32-754.3.5.el6.x86_64 - CentOS 7 KVM
kernel 3.10.0-862.11.6.el7.x86_64 or newer
- CentOS 6 KVM
- CloudBoot Xen Compute Resource
- CentOS 6
kernel 4.9.112-32.el6.x86_64
- CentOS 6
Update [Aug 14, 2018 8:15 am, PT]
CentOS KVM static compute resources are recommended to update to the recent version:
- Static KVM Compute Resource (CentOS 6/7)
- CentOS 6 KVM
kernel 2.6.32-754.3.5.el6.x86_64 - CentOS 7 KVM
kernel 3.10.0-862.11.6.el7.x86_64
- CentOS 6 KVM
Update [Jul 24, 2018 14:38 pm PT]
- Static KVM Compute Resource (CentOS 6/7)
- CentOS KVM static compute resources are recommended to update to the recent version:
- OnApp 5.5
- CentOS 6 KVM
kernel 2.6.32-754.2.1.el6.x86_64
qemu-kvm 0.12.1.2-2.506.el6_10.1 - CentOS 7 KVM
kernel 3.10.0-862.9.1.el7.x86_64
libvirt 3.9.0-14.el7_5.6
qemu-kvm-1.5.3-156.el7_5.3
- CentOS 6 KVM
Update [Jun 12, 2018 15:49 pm PT]
Control Panel Servers (CentOS 6/7)
Recommended to update all OS packages which can be completed with the following command:/onapp/onapp-cp-install/onapp-cp-install.sh -y
Static Backup Servers (CentOS 6/7)
Recommended to update all OS packages which can be completed with the following command:/onapp/onapp-bk-install/onapp-bk-install.sh -y
Static KVM Compute Resource (CentOS 6/7)
Recommended to update all OS packages which can be completed with the following command:/onapp/onapp-hv-install/onapp-hv-kvm-install.sh -y
If a full OS package update is not possible, it is still recommended to ensure that at least the following versions are running:
OnApp 5.0
CentOS 5 KVM
kernel >= 2.6.18-419.el5.x86_64
kvm >= 83-277.el5.centos
libvirt >= 0.8.2-29.onapp.x86_64CentOS 6 KVM
kernel >= 2.6.32-696.30.1.el6.x86_64
qemu-kvm >= 0.12.1.2-2.503.el6_9.6
libvirt >= 0.10.2-62.el6_9.2
- OnApp 5.5
CentOS 6 KVM
kernel >= 2.6.32-696.30.1.el6.x86_64
qemu-kvm >= 0.12.1.2-2.503.el6_9.6
libvirt >= 0.10.2-62.el6_9.2CentOS 7 KVM
kernel >= 3.10.0-862.3.2.el7.x86_64
qemu-kvm >= 1.5.3-156.el7_5.2
libvirt >= 3.9.0-14.el7_5.5
Static Xen Compute Resource (CentOS 6/7)
Recommended to update all OS packages which can be completed with the following command:/onapp/onapp-hv-install/onapp-hv-xen-install.sh -y
If a full OS package update is not possible, it is still recommended to ensure that at least the following versions are running:
OnApp 5.0
CentOS 5 Xen
kernel >= 2.6.18-419.el5.x86_64
xen >= 3.4.4-35.1.el5.onapp- CentOS 6 Xen
kernel >= 4.9.86-30.el6.x86_64
xen >= 4.4.4-34.el6.x86_64
libvirt >= 1.3.0-0.1.el6.x86_64
- OnApp 5.5
CentOS 6 Xen
kernel >= 4.9.86-30.el6.x86_64
xen >= 4.6.6-12.el6
libvirt >= 3.2.1-402.el6- CentOS 7 Xen
kernel >= 4.9.86-30.el7.x86_64
xen >= 4.6.6-12.el7.x86_64
libvirt >= 4.1.0-2.xen46.el7
With the recent updates (5.0 Patch 4 and 5.5 Patch 7), OnApp provides the following new packages for CloudBoot Compute Resources and Backup Servers:
CloudBoot KVM Compute Resource (CentOS 6)
CloudBoot Backup Servers (OnApp 5.0 Only)
For OnApp 5.5, recommended to update to onapp-ramdisk-centos6-kvm-5.5.0-45.noarch.rpm
For OnApp 5.0, recommended to update to onapp-store-install-5.0.0-38.noarch.rpm
CloudBoot KVM Compute Resource (CentOS 7)
CloudBoot Backup Servers (OnApp 5.5 Only)
For OnApp 5.5, recommended to update to onapp-ramdisk-centos7-kvm-5.5.0-45.noarch.rpm
- CloudBoot Xen Compute Resource (CentOS 6)
- For OnApp 5.5, recommended to update to onapp-ramdisk-centos6-xen-5.5.0-45.noarch.rpm
- For OnApp 5.0, Cloudboot Xen Compute Resource (CentOS 6) is still vulnerable. Update to OnApp 5.5 is recommended.
- For OnApp 5.5, recommended to update to onapp-ramdisk-centos6-xen-5.5.0-45.noarch.rpm
Update [Mar 14, 2018 11:35 am PT]
- Static Xen Compute Resource (CentOS 6/7)
- For OnApp 5.5 - 5.7 running 4.6.6, recommended to update to Xen 4.6.6-10 packages to address Meltdown "bandaid" (XSA-254 XPTI stage 1) fixes. For details, refer to Xen Security Update.
- If you are running Xen 4.4, to upgrade to 4.6.6-10 refer to Upgrade Guide for Cloud with Static Servers.
- Cloudboot Xen Compute Resource (CentOS 6)
- For OnApp 5.5, recommended update to onapp-ramdisk-centos6-xen-5.5.0-42.noarch.rpm. 'Simple reboot' and 'Migrate and Reboot' options are available.
Update [Feb 23, 2018 4:07am PT]
The new Windows win08_x64_std_r2_ver4.3-kvm_virtio.tar.gz template that includes the latest security fixes is now available.
The new Windows win08_x64_dc_r2_ver4.3-kvm_virtio.tar.gz template that includes the latest security fixes is now available.
Update [Feb 13, 2018 1:34am PT]
The new 5.5.0-75 release provides an upgrade for Xen to the 4.6 version and updated recovery images. This release does not include a full mitigation for the security issues as it has not yet been provided by Xen. We will incorporate new fixes aimed at Meltdown and Spectre into OnApp when they are released by Xen.
Control Panel Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Backup Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static KVM Compute Resource (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Xen Compute Resource (CentOS 6/7)
Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64
Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64
Cloudboot KVM Compute Resource (CentOS 6)
For OnApp 5.5, recommended update to onapp-ramdisk-centos6-kvm-5.5.0-39.noarch.rpm
- For OnApp 5.0, recommended update to onapp-store-install-5.0.0-38.noarch.rpm
Cloudboot KVM Compute Resource (CentOS 7)
For OnApp 5.5, recommended update to onapp-ramdisk-centos7-kvm-5.5.0-38.noarch.rpm
Cloudboot Xen Compute Resource (CentOS 6)
See 'General update on Xen' above
Update [Jan 31, 2018 5:02am PT]
The new СentOS 6.6 ApplicationServer x64 template with Xen support that includes the latest security fixes will be available via the Template Server within the next hour.
Update [Jan 26, 2018 5:34am PT]
- The new CentOS 6.9 x86_64 template with Xen support that includes the latest security fixes is now available.
Update [Jan 25, 2018 8:17am PT]
- CloudBoot update for KVM compute resources running CentOS 6 and OnApp 5.5 are now available. For more information refer to OnApp 5.5 CloudBoot KVM Security Update 2.
Control Panel Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Backup Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static KVM Compute Resource (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Xen Compute Resource (CentOS 6/7)
Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64
Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64
Cloudboot KVM Compute Resource (CentOS 6)
For OnApp 5.5, recommended update to onapp-ramdisk-centos6-kvm-5.5.0-29.noarch.rpm
- For OnApp 5.0, recommended update to onapp-store-install-5.0.0-38.noarch.rpm
Cloudboot KVM Compute Resource (CentOS 7)
Updating of images currently in progress
Cloudboot Xen Compute Resource (CentOS 6)
See 'General update on Xen' above
Update [Jan 23, 2018 5:52am PT]
Here is an overview of our current efforts regarding the mitigation of the vulnerabilities for clouds using Xen:
- We are testing the current release of OnApp 5.5 / CentOS 7 / Xen 4.6 with the latest updates available from CentOS-Virt. The focus here is on the new kernel and page-table isolation (XPTI 'stage 1’) which is the first iteration of potentially multiple updates to protect against SP3.
- We are also testing an updated build of OnApp 5.5 / CentOS 6 / Xen 4.6, behind the scenes this includes changes to how OnApp interacts with the Xen compute resources so we need to verify no issues have been introduced there as well as with the updated Xen packages and kernel.
- Once we are confident that all is fine with the above combinations, we will build and release CloudBoot updates in due course, although the test cycles for Integrated Storage/CloudBoot are typically a little longer.
- Although it appears that fortunately this round of security fixes have been backported as far back as Xen 4.6, we plan to move to at least Xen 4.8 in the near future, as such we are also testing our current builds against Xen 4.8 to understand what further changes will be needed.
- Unfortunately for OnApp 5.0, moving to support newer versions of Xen would be an enormous and potentially destabilizing effort, as such, we recommend any Xen users to plan to upgrade to OnApp 5.5. Our team will be happy to help, advise and assist with that process. OnApp 5.0 LTS will remain supported, receiving updates and patches where possible and will support the updated kernels where possible, however, at this stage a Xen update is not expected.
Update [Jan 17, 2018 1:51am PT]
- CloudBoot update for KVM compute resources running CentOS 6 and OnApp 5.0 are now available. For more information refer to OnApp 5.0 CloudBoot KVM Security Update.
Control Panel Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Backup Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static KVM Compute Resource (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Xen Compute Resource (CentOS 6/7)
Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64
Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64
Cloudboot KVM Compute Resource (CentOS 6)
For OnApp 5.5, recommended update to onapp-ramdisk-centos6-kvm-5.5.0-28.noarch.rpm
- For OnApp 5.0, recommended update to onapp-store-install-5.0.0-38.noarch.rpm
Cloudboot KVM Compute Resource (CentOS 7)
Updating of images currently in progress
Cloudboot Xen Compute Resource (CentOS 6)
See 'General update on Xen' above
Update [Jan 15, 2018 08:51pm PT]
- We've hit some issues in testing the KVM/CentOS 6/OnApp 5.0 combination, we are working on rectifying those and will release the update as soon as all tests have pass successfully.
- We have tested and verified the latest kernels available for Xen Static compute resources with no issues detected:
CentOS 6 - kernel-4.9.75-30.el6.x86_64
CentOS 7 - kernel-4.9.75-29.el7.x86_64
To update run
/onapp/onapp-hv-install/onapp-hv-xen-install.sh
followed by a reboot for the new kernel to take effect. - There are expected to be further kernel updates in the near future to introduce Retpoline which helps to protect against Spectre.
- We are investigating the Comet mitigation for the Meltdown vulnarability under Xen, this mitigation has not yet been released upstream for our target Xen release (4.8).
Control Panel Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Backup Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static KVM Compute Resource (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Xen Compute Resource (CentOS 6/7)
Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64
Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64
Cloudboot KVM Compute Resource (CentOS 6)
Recommended update to onapp-ramdisk-centos6-kvm-5.5.0-28.noarch.rpm
Cloudboot KVM Compute Resource (CentOS 7)
Updating of images currently in progress
Cloudboot Xen Compute Resource (CentOS 6)
See 'General update on Xen' above
Update [Jan 12, 2018 07:08pm PT]
Cloudboot updates for KVM compute resources running CentOS6 and OnApp 5.5 are now available. For more information refer to OnApp 5.5 CloudBoot KVM Security Update.
- Testing of other images will be ongoing over the weekend, all going well, the KVM/CentOS 6/OnApp 5.0 combination will be released on Monday. Further updates to follow then.
Control Panel Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Backup Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static KVM Compute Resource (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Xen Compute Resource (CentOS 6/7)
See 'General update on Xen' above
Cloudboot KVM Compute Resource (CentOS 6)
Recommended update to onapp-ramdisk-centos6-kvm-5.5.0-28.noarch.rpm
Cloudboot KVM Compute Resource (CentOS 7)
Updating of images currently in progress
Cloudboot Xen Compute Resource (CentOS 6)
See 'General update on Xen' above
Update [Jan 12, 2018 12:18pm PT]
The new Windows 2012 R2 std win12_x64_std_r2-ver4.5-kvm_virtio.tar.gz KVM template that includes the latest security fixes is now available.
- The new Windows 2012 R2 std win12_x64_std_r2-ver4.5.tar.gz Xen template that includes the latest security fixes is now available.
Update [Jan 11, 2018 14:30pm PT]
Control Panel Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Backup Servers (CentOS 6/7)
Recommended to update Kernel and OS packages
Static KVM Compute Resource (CentOS 6/7)
Recommended to update Kernel and OS packages
Static Xen Compute Resource (CentOS 6/7)
See 'General update on Xen' above
Cloudboot KVM Compute Resource (CentOS 6)
Updated images in testing for 5.0 and 5.5.
We are running compressed test cycles, so far all looks positive and we hope to release as stable in the coming days.
Cloudboot KVM Compute Resource (CentOS 7)
Updating of images currently in progress
Cloudboot Xen Compute Resource (CentOS 6)
See 'General update on Xen' above
Update [Jan 11, 2018 7:18am PT]
OnApp static KVM compute resources under CentOS 6.x should update the qemu-kvm component to the 0.12.1.2-2.503 version to address CVE-2017-5715.
Update [Jan 11, 2018 2:52am PT]
To update the OS components of your KVM-based application servers, use the Application Server OS Components Update instructions. It is not yet recommended to update Application Servers running on Xen Hypervisors due to issues booting the latest kernel.
Update [Jan 10, 2018 7:02am PT]
The new СentOS 6.6 ApplicationServer x86_64 template (KVM only) that includes the fixes will be available via Template Server within the next hour.
Update [Jan 10, 2018 1:45am PT]
VMware has released updates to address CVE-2017-5754. More information is available at the VMware Security Advisories portal.
Update [Jan 9, 2018 9:52am PT]
An updated Debian 8.10 x64 template has been released to address CVE-2017-5754 and should be available shortly.
Update [Jan 9, 2018 8:56am PT]
A new Debian 7.0 x64 template has been created to address CVE-2017-5754 and should now be available.
Update [Jan 9, 2018 6:34am PT]
- The new ubuntu-17.10-x64-1.0-xen.kvm.kvm_virtio.tar.gz template that includes the fixes will be available via Template Server within the next hour.
Update [Jan 9, 2018 4:05am PT]
- On the 5th January 2018 Microsoft has updated their patches for Windows 8.1/2012R2 to version 2.
Update [Jan 8, 2018 8:08am PT]
- The Ubuntu 16.04 x86_64 template for Xen and KVM has been updated and will be available within the next hour.
Update [Jan 7, 2018 5:55am PT]
- The Debian 9.3 x86_64 template for Xen and KVM has been updated to address CVE-2017-5754. We are continuing to monitor the Linux distros closely and will continue to release new templates as updates become available.
- An updated CloudBoot image for CentOS 6 KVM (OnApp 5.5) has passed basic smoke tests and is currently undergoing a longer, more strenuous testing. Further updates to follow.
Update [Jan 5, 2018 9:05am PT]
- To summarise relating to Cloud infrastructure:
- CentOS 7.x Control Panel, Static Backup Servers and Static KVM Compute Resources should be updated to at least kernel version 3.10.0-693.11.6.el7.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes. This can be completed with 'yum update kernel' followed by a reboot.
- CentOS 6.x Control Panel, Static Backup Servers and Static KVM Compute Resources should be updated to at least kernel version 2.6.32-696.18.7.el6.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes. This can be completed with 'yum update kernel' followed by a reboot.
- Further updates will be announced relating to Xen Static and Xen and KVM CloudBoot Compute Resources once available.
Update [Jan 5, 2018 8:42am PT]
- CentOS 7.4 x86_64 template (KVM only) have been updated.
Update [Jan 5, 2018 8:12am PT]
- Virtual Servers running CentOS 7 centosplus are also being reported to have issues booting under Xen with kernel kernel-plus-3.10.0-693.11.6.el7.centos.plus.x86_64, so we would recommend to avoid updating Xen based servers to that kernel at present.
Update [Jan 5, 2018 5:32am PT]
- Fedora 27 x86_64 template has been added. It is available at templates.repo.onapp.com.
- A hot migrate to a patched compute resource should be sufficient to ensure that the VS is running the updated libvirt/kvm code. However, the kernel update of the hot migrated VS should still be performed.
Update [Jan 5, 2018 4:00am PT]
- The CentOS 6.x Xen virtual servers are not recommended to upgrade the kernel to the version >= 2.6.32-696.18.7.el6.x86_64. Virtual servers with the new kernel(s) currently appear to be failing to boot.
Update [Jan 4, 2018 8:02am PT]
- The list of Debian packages affected by CVE-2017-5754 can be found at the Debian Security Bug Tracker portal.
- The list of Debian packages affected by CVE-2017-5753 can be found at the Debian Security Bug Tracker portal.
- The list of Debian packages affected by CVE-2017-5715 can be found at the Debian Security Bug Tracker portal.
- The list of Ubuntu packages affected by CVE-2017-5754 can be found at the Ubuntu CVE Tracker portal.
- The list of Ubuntu packages affected by CVE-2017-5753 can be found at the Ubuntu CVE Tracker portal.
- The list of Ubuntu packages affected by CVE-2017-5715 can be found at the Ubuntu CVE Tracker portal.
- The Fedora Updates System has a security update in Fedora 27 for the kernel.
Update [Jan 4, 2018 6:55am PT]
- The new centos-6.9-x64-1.3-kvm.kvm_virtio.tar.gz template (KVM only) that includes the fixes will be available via Template Server in an hour.
Update [Jan 4, 2018 3:44am PT]
- CentOS 7.x KVM Static compute resources should be updated to at least kernel version 3.10.0-693.11.6.el7.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes.
- CentOS 6.x KVM Static compute resources should be updated to at least kernel version 2.6.32-696.18.7.el6.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes.
- Patches to address the issue are available for Win 7, 8.1, 10, Win Server 2008R2, 2012R2, 2016 at the Microsft Security TechCenter portal.