Meltdown and Spectre CPU Issues

This page includes the current information on released updated packages and templates, as well as recommendations related to dealing with the Meltdown and Spectre CPU vulnerabilities. The page will be updated as soon as we have new information for you.

Meltdown and Spectre are bugs in CPU architecture that apply to most modern processors including Intel, AMD and ARM. These issues have been observed on personal computers, mobile devices and in the cloud. These vulnerabilities allow programs to access data that is being processed on the computer. As a result, a malicious program can take advantage of the Meltdown and Spectre vulnerabilities and access data stored in the memory of other running programs. For additional information, refer to Meltdown & Spectre – x86/x64 architecture bug – what you need to know.

General update on Xen

As you may know, there isn't a full mitigation for all CVEs available yet, and the upcoming fixes will not be straightforward. You can keep up to date with proceedings at the Xen Project Blog.

From our side, our priority is ensuring we are in a position to roll in any changes, validate and confirm compatibility as soon as possible once patches which allow full mitigation become available. In OnApp 5.5, we made changes to interact with CentOS 7 Xen compute resources via Libvirt to unify with how we work with KVM compute resources rather than the native Xen Toolkit (xm/xl). In OnApp 5.7, we implemented the same for CentOS 6 to allow us to support newer versions of Xen with minimal codebase changes moving forward.

Note that you may face some issues when updating kernel packages inside CentOS 6.x and Debian 9.x guests. For more details, refer to Virtual Servers Do Not Boot After Kernel Upgrade article.

Currently, we support: 

OnApp 5.0                               OnApp 5.5
Xen 4.4 (CentOS 6)                  Xen 4.4 and Xen 4.6 starting with the 5.5.0-75 update (CentOS 6)
                                                 Xen 4.6 (CentOS 7) 

Updated [Nov 01, 2018 1:05pm, PT]

CloudBoot new 6.0 version that includes the latest kernels has been released to provide more security against Meltdown and Spectre vulnerabilities.

Update [Sept 03, 2018 15:30 PT]

For OnApp 5.5, CloudBoot compute resources are recommended to update to the recent version:

  • CloudBoot KVM Compute Resource
    • CentOS 6 KVM
      kernel 2.6.32-754.3.5.el6.x86_64
    • CentOS 7 KVM
      kernel 3.10.0-862.11.6.el7.x86_64 or newer  

  • CloudBoot Xen Compute Resource
    • CentOS 6
      kernel 4.9.112-32.el6.x86_64

Update [Aug 14, 2018 8:15 am, PT]

CentOS KVM static compute resources are recommended to update to the recent version:

  • Static KVM Compute Resource (CentOS 6/7)
    • CentOS 6 KVM 
      kernel 2.6.32-754.3.5.el6.x86_64
    • CentOS 7 KVM 
      kernel 3.10.0-862.11.6.el7.x86_64

Update [Jul 24, 2018 14:38 pm PT]

  • Static KVM Compute Resource (CentOS 6/7)
    • CentOS KVM static compute resources are recommended to update to the recent version:
    • OnApp 5.5
      • CentOS 6 KVM
        kernel 2.6.32-754.2.1.el6.x86_64
        qemu-kvm 0.12.1.2-2.506.el6_10.1

      • CentOS 7 KVM
        kernel 3.10.0-862.9.1.el7.x86_64
        libvirt 3.9.0-14.el7_5.6
        qemu-kvm-1.5.3-156.el7_5.3

Update [Jun 12, 2018 15:49 pm PT]

  • Control Panel Servers (CentOS 6/7)
    Recommended to update all OS packages which can be completed with the following command:

    /onapp/onapp-cp-install/onapp-cp-install.sh -y

  • Static Backup Servers (CentOS 6/7)
    Recommended to update all OS packages which can be completed with the following command:

    /onapp/onapp-bk-install/onapp-bk-install.sh -y

  • Static KVM Compute Resource (CentOS 6/7)
    Recommended to update all OS packages which can be completed with the following command:

    /onapp/onapp-hv-install/onapp-hv-kvm-install.sh -y

    If a full OS package update is not possible, it is still recommended to ensure that at least the following versions are running:

    • OnApp 5.0 

      • CentOS 5 KVM
        kernel >= 2.6.18-419.el5.x86_64 
        kvm >= 83-277.el5.centos
        libvirt >= 0.8.2-29.onapp.x86_64

      • CentOS 6 KVM
        kernel >= 2.6.32-696.30.1.el6.x86_64
        qemu-kvm >= 0.12.1.2-2.503.el6_9.6
        libvirt >= 0.10.2-62.el6_9.2

    • OnApp 5.5 

      • CentOS 6 KVM
        kernel >= 2.6.32-696.30.1.el6.x86_64
        qemu-kvm >= 0.12.1.2-2.503.el6_9.6
        libvirt >= 0.10.2-62.el6_9.2

      • CentOS 7 KVM
        kernel >= 3.10.0-862.3.2.el7.x86_64
        qemu-kvm >= 1.5.3-156.el7_5.2
        libvirt >= 3.9.0-14.el7_5.5

  • Static Xen Compute Resource (CentOS 6/7)
    Recommended to update all OS packages which can be completed with the following command:

    /onapp/onapp-hv-install/onapp-hv-xen-install.sh -y

    If a full OS package update is not possible, it is still recommended to ensure that at least the following versions are running:

    • OnApp 5.0 

      • CentOS 5 Xen 
        kernel >= 2.6.18-419.el5.x86_64
        xen >= 3.4.4-35.1.el5.onapp

      • CentOS 6 Xen
        kernel >= 4.9.86-30.el6.x86_64
        xen >= 4.4.4-34.el6.x86_64
        libvirt >= 1.3.0-0.1.el6.x86_64

    • OnApp 5.5 

      • CentOS 6 Xen
        kernel >= 4.9.86-30.el6.x86_64
        xen >= 4.6.6-12.el6
        libvirt >= 3.2.1-402.el6 

      • CentOS 7 Xen
        kernel >= 4.9.86-30.el7.x86_64
        xen >= 4.6.6-12.el7.x86_64
        libvirt >= 4.1.0-2.xen46.el7

With the recent updates (5.0 Patch 4 and 5.5 Patch 7), OnApp provides the following new packages for CloudBoot Compute Resources and Backup Servers:

Update [Mar 14, 2018 11:35 am PT]

Update [Feb 23, 2018 4:07am PT]

  • The new Windows win08_x64_std_r2_ver4.3-kvm_virtio.tar.gz template that includes the latest security fixes is now available.

  • The new Windows win08_x64_dc_r2_ver4.3-kvm_virtio.tar.gz template that includes the latest security fixes is now available.

Update [Feb 13, 2018 1:34am PT]

  • The new 5.5.0-75 release provides an upgrade for Xen to the 4.6 version and updated recovery images. This release does not include a full mitigation for the security issues as it has not yet been provided by Xen. We will incorporate new fixes aimed at Meltdown and Spectre into OnApp when they are released by Xen.

  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64

    • Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64

  • Cloudboot KVM Compute Resource (CentOS 6)

  • Cloudboot KVM Compute Resource  (CentOS 7)

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

Update [Jan 31, 2018 5:02am PT]

  • The new СentOS 6.6 ApplicationServer x64 template with Xen support that includes the latest security fixes will be available via the Template Server within the next hour. 

Update [Jan 26, 2018 5:34am PT]

  • The new CentOS 6.9 x86_64 template with Xen support that includes the latest security fixes is now available.

Update [Jan 25, 2018 8:17am PT]

  • CloudBoot update for KVM compute resources running CentOS 6 and OnApp 5.5 are now available. For more information refer to OnApp 5.5 CloudBoot KVM Security Update 2.

  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64

    • Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64

  • Cloudboot KVM Compute Resource (CentOS 6)

  • Cloudboot KVM Compute Resource  (CentOS 7)

    • Updating of images currently in progress

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

Update [Jan 23, 2018 5:52am PT]

Here is an overview of our current efforts regarding the mitigation of the vulnerabilities for clouds using Xen:

  • We are testing the current release of OnApp 5.5 / CentOS 7 / Xen 4.6 with the latest updates available from CentOS-Virt. The focus here is on the new kernel and page-table isolation (XPTI 'stage 1’) which is the first iteration of potentially multiple updates to protect against SP3.
  • We are also testing an updated build of OnApp 5.5 / CentOS 6 / Xen 4.6, behind the scenes this includes changes to how OnApp interacts with the Xen compute resources so we need to verify no issues have been introduced there as well as with the updated Xen packages and kernel.
  • Once we are confident that all is fine with the above combinations, we will build and release CloudBoot updates in due course, although the test cycles for Integrated Storage/CloudBoot are typically a little longer.
  • Although it appears that fortunately this round of security fixes have been backported as far back as Xen 4.6, we plan to move to at least Xen 4.8 in the near future, as such we are also testing our current builds against Xen 4.8 to understand what further changes will be needed.
  • Unfortunately for OnApp 5.0, moving to support newer versions of Xen would be an enormous and potentially destabilizing effort, as such, we recommend any Xen users to plan to upgrade to OnApp 5.5. Our team will be happy to help, advise and assist with that process. OnApp 5.0 LTS will remain supported, receiving updates and patches where possible and will support the updated kernels where possible, however, at this stage a Xen update is not expected.

Update [Jan 17, 2018 1:51am PT]

  • CloudBoot update for KVM compute resources running CentOS 6 and OnApp 5.0 are now available. For more information refer to OnApp 5.0 CloudBoot KVM Security Update.

  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64

    • Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64

  • Cloudboot KVM Compute Resource (CentOS 6)

  • Cloudboot KVM Compute Resource  (CentOS 7)

    • Updating of images currently in progress

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

Update [Jan 15, 2018 08:51pm PT]

  • We've hit some issues in testing the KVM/CentOS 6/OnApp 5.0 combination, we are working on rectifying those and will release the update as soon as all tests have pass successfully.
  • We have tested and verified the latest kernels available for Xen Static compute resources with no issues detected:

    • CentOS 6 - kernel-4.9.75-30.el6.x86_64

    • CentOS 7 - kernel-4.9.75-29.el7.x86_64

    To update run /onapp/onapp-hv-install/onapp-hv-xen-install.sh followed by a reboot for the new kernel to take effect.

  • There are expected to be further kernel updates in the near future to introduce Retpoline which helps to protect against Spectre.
  • We are investigating the Comet mitigation for the Meltdown vulnarability under Xen, this mitigation has not yet been released upstream for our target Xen release (4.8).

  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • Recommended Kernel update CentOS 6 - kernel-4.9.75-30.el6.x86_64

    • Recommended Kernel update CentOS 7 - kernel-4.9.75-29.el7.x86_64

  • Cloudboot KVM Compute Resource  (CentOS 6)

  • Cloudboot KVM Compute Resource  (CentOS 7)

    • Updating of images currently in progress

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

Update [Jan 12, 2018 07:08pm PT]

  • Cloudboot updates for KVM compute resources running CentOS6 and OnApp 5.5 are now available. For more information refer to OnApp 5.5 CloudBoot KVM Security Update.

  • Testing of other images will be ongoing over the weekend, all going well, the KVM/CentOS 6/OnApp 5.0 combination will be released on Monday. Further updates to follow then.

  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • See 'General update on Xen' above

  • Cloudboot KVM Compute Resource  (CentOS 6)

  • Cloudboot KVM Compute Resource  (CentOS 7)

    • Updating of images currently in progress

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

Update [Jan 12, 2018 12:18pm PT]

  • The new Windows 2012 R2 std win12_x64_std_r2-ver4.5-kvm_virtio.tar.gz KVM template that includes the latest security fixes is now available.

  • The new Windows 2012 R2 std win12_x64_std_r2-ver4.5.tar.gz Xen template that includes the latest security fixes is now available.

 Update [Jan 11, 2018 14:30pm PT]

  • Control Panel Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages 

  • Static Backup Servers (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static KVM Compute Resource  (CentOS 6/7)

    • Recommended to update Kernel and OS packages

  • Static Xen Compute Resource (CentOS 6/7) 

    • See 'General update on Xen' above

  • Cloudboot KVM Compute Resource  (CentOS 6)

    • Updated images in testing for 5.0 and 5.5. 

    • We are running compressed test cycles, so far all looks positive and we hope to release as stable in the coming days. 

  • Cloudboot KVM Compute Resource  (CentOS 7)

    • Updating of images currently in progress

  • Cloudboot Xen Compute Resource  (CentOS 6)

    • See 'General update on Xen' above

 Update [Jan 11, 2018 7:18am PT]

  • OnApp static KVM compute resources under CentOS 6.x should update the qemu-kvm component to the 0.12.1.2-2.503 version to address CVE-2017-5715.

Update [Jan 11, 2018 2:52am PT]

  • To update the OS components of your KVM-based application servers, use the Application Server OS Components Update instructions. It is not yet recommended to update Application Servers running on Xen Hypervisors due to issues booting the latest kernel.

 Update [Jan 10, 2018 7:02am PT]

  • The new СentOS 6.6 ApplicationServer x86_64 template (KVM only) that includes the fixes will be available via Template Server within the next hour. 

Update [Jan 10, 2018 1:45am PT]

Update [Jan 9, 2018 9:52am PT]

  • An updated Debian 8.10 x64 template has been released to address CVE-2017-5754 and should be available shortly.

Update [Jan 9, 2018 8:56am PT]

  • A new Debian 7.0 x64 template has been created to address CVE-2017-5754 and should now be available.

Update [Jan 9, 2018 6:34am PT]

  • The new ubuntu-17.10-x64-1.0-xen.kvm.kvm_virtio.tar.gz template that includes the fixes will be available via Template Server within the next hour. 

Update [Jan 9, 2018 4:05am PT]

  • On the 5th January 2018 Microsoft has updated their patches for Windows 8.1/2012R2 to version 2.

Update [Jan 8, 2018 8:08am PT]

  • The Ubuntu 16.04 x86_64 template for Xen and KVM has been updated and will be available within the next hour. 

Update [Jan 7, 2018 5:55am PT]

  • The Debian 9.3 x86_64 template for Xen and KVM has been updated to address CVE-2017-5754. We are continuing to monitor the Linux distros closely and will continue to release new templates as updates become available. 
  • An updated CloudBoot image for CentOS 6 KVM (OnApp 5.5) has passed basic smoke tests and is currently undergoing a longer, more strenuous testing. Further updates to follow.

Update [Jan 5, 2018 9:05am PT]

  • To summarise relating to Cloud infrastructure:
  • CentOS 7.x Control Panel, Static Backup Servers and Static KVM Compute Resources should be updated to at least kernel version 3.10.0-693.11.6.el7.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes. This can be completed with 'yum update kernel' followed by a reboot.
  • CentOS 6.x Control Panel, Static Backup Servers and Static KVM Compute Resources should be updated to at least kernel version 2.6.32-696.18.7.el6.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes. This can be completed with 'yum update kernel' followed by a reboot.
  • Further updates will be announced relating to Xen Static and Xen and KVM CloudBoot Compute Resources once available. 

Update [Jan 5, 2018 8:42am PT]

  • CentOS 7.4 x86_64 template (KVM only) have been updated.

Update [Jan 5, 2018 8:12am PT]

  • Virtual Servers running CentOS 7 centosplus are also being reported to have issues booting under Xen with kernel kernel-plus-3.10.0-693.11.6.el7.centos.plus.x86_64, so we would recommend to avoid updating Xen based servers to that kernel at present.

Update [Jan 5, 2018 5:32am PT]

  • Fedora 27 x86_64 template has been added. It is available at templates.repo.onapp.com.
  • A hot migrate to a patched compute resource should be sufficient to ensure that the VS is running the updated libvirt/kvm code. However, the kernel update of the hot migrated VS should still be performed.

Update [Jan 5, 2018 4:00am PT]

  • The CentOS 6.x Xen virtual servers are not recommended to upgrade the kernel to the version >= 2.6.32-696.18.7.el6.x86_64. Virtual servers with the new kernel(s) currently appear to be failing to boot.

Update [Jan 4, 2018 8:02am PT]

Update [Jan 4, 2018 6:55am PT]

  • The new centos-6.9-x64-1.3-kvm.kvm_virtio.tar.gz template (KVM only) that includes the fixes will be available via Template Server in an hour.

Update [Jan 4, 2018 3:44am PT]

  • CentOS 7.x KVM Static compute resources should be updated to at least kernel version 3.10.0-693.11.6.el7.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes.
  • CentOS 6.x KVM Static compute resources should be updated to at least kernel version 2.6.32-696.18.7.el6.x86_64 to address CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 fixes.
  • Patches to address the issue are available for Win 7, 8.1, 10, Win Server 2008R2, 2012R2, 2016 at the Microsft Security TechCenter portal.