Fix for CVE-2017-5753 for CentOS7/RHEL7
4 views
Skip to first unread message
Igor Seletskiy
Jan 17, 2018, 7:39:43 AM1/17/18
to kernelcar...@googlegroups.com
Most of the latest vendor kernels already have Meltdown (CVE-2017-5754) fix included. Since the
current KernelCare patches do not provide this fix for older kernels, "effective" version ("uname"
in kpatch.info files) should not be set to those latest vendor kernels, but kept at the latest ones
without Meltdown fix. This behavior was added to deploy-scripts but currently isn't considered to be
ready for merge since only comparison of rpm-based versions is supported. However, this particular
release needs this functionality only to handle centos7 patches ("latest" changed from 693.11.6 to
693.11.1) so not to postpone it even further a local copy of changed kcaredeploy.py script is provided.
Before running makedeploy, please, copy the attached kcaredeploy.py file over existing
py/kcaredeploy.py in checked out sources. After release archive is generated, the original version
of this file can be restored with 'git checkout HEAD -- py/kcaredeploy.py' and the absence of any
local changes in tracked files verified with 'git status -uno'.
Sorry for the inconvenience, this is strictly a temporary solution for two existing release
requests. In future, the relevant code will be merged and no local changes will be required.
Changelog:
current KernelCare patches do not provide this fix for older kernels, "effective" version ("uname"
in kpatch.info files) should not be set to those latest vendor kernels, but kept at the latest ones
without Meltdown fix. This behavior was added to deploy-scripts but currently isn't considered to be
ready for merge since only comparison of rpm-based versions is supported. However, this particular
release needs this functionality only to handle centos7 patches ("latest" changed from 693.11.6 to
693.11.1) so not to postpone it even further a local copy of changed kcaredeploy.py script is provided.
Before running makedeploy, please, copy the attached kcaredeploy.py file over existing
py/kcaredeploy.py in checked out sources. After release archive is generated, the original version
of this file can be restored with 'git checkout HEAD -- py/kcaredeploy.py' and the absence of any
local changes in tracked files verified with 'git status -uno'.
Sorry for the inconvenience, this is strictly a temporary solution for two existing release
requests. In future, the relevant code will be merged and no local changes will be required.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
# /usr/bin/kcarectl --update
centos7:
CVE-2017-5753: 'An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a commonly used
performance optimization). There are three primary variants of the issue which
differ in the way the speculative execution can be exploited. Variant CVE-2017-5753
triggers the speculative execution by performing a bounds-check bypass. It relies
on the presence of a precisely-defined instruction sequence in the privileged
code as well as the fact that memory accesses may cause allocation into the microprocessor''s
data cache even for speculatively executed instructions that never actually commit
(retire). As a result, an unprivileged attacker could use this flaw to cross the
syscall boundary and read privileged memory by conducting targeted cache side-channel
attacks. ATTENTION: This is just a partial fix for Spectre attack. The other part
(CVE-2017-5753) and Meltdown is still relevant.'
cvelist: [CVE-2017-5753]
latest-version: 3.10.0-693.11.1.el7
CVE-2017-5753: 'An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a commonly used
performance optimization). There are three primary variants of the issue which
differ in the way the speculative execution can be exploited. Variant CVE-2017-5753
triggers the speculative execution by performing a bounds-check bypass. It relies
on the presence of a precisely-defined instruction sequence in the privileged
code as well as the fact that memory accesses may cause allocation into the microprocessor''s
data cache even for speculatively executed instructions that never actually commit
(retire). As a result, an unprivileged attacker could use this flaw to cross the
syscall boundary and read privileged memory by conducting targeted cache side-channel
attacks. ATTENTION: This is just a partial fix for Spectre attack. The other part
(CVE-2017-5753) and Meltdown is still relevant.'
cvelist: [CVE-2017-5753]
latest-version: 3.10.0-693.11.1.el7
centos7-plus:
CVE-2017-5753: 'An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a commonly used
performance optimization). There are three primary variants of the issue which
differ in the way the speculative execution can be exploited. Variant CVE-2017-5753
triggers the speculative execution by performing a bounds-check bypass. It relies
on the presence of a precisely-defined instruction sequence in the privileged
code as well as the fact that memory accesses may cause allocation into the microprocessor''s
data cache even for speculatively executed instructions that never actually commit
(retire). As a result, an unprivileged attacker could use this flaw to cross the
syscall boundary and read privileged memory by conducting targeted cache side-channel
attacks. ATTENTION: This is just a partial fix for Spectre attack. The other part
(CVE-2017-5753) and Meltdown is still relevant.'
cvelist: [CVE-2017-5753]
latest-version: 3.10.0-693.11.1.el7
pve-3.10:
CVE-2017-5753: 'An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a commonly used
performance optimization). There are three primary variants of the issue which
differ in the way the speculative execution can be exploited. Variant CVE-2017-5753
triggers the speculative execution by performing a bounds-check bypass. It relies
on the presence of a precisely-defined instruction sequence in the privileged
code as well as the fact that memory accesses may cause allocation into the microprocessor''s
data cache even for speculatively executed instructions that never actually commit
(retire). As a result, an unprivileged attacker could use this flaw to cross the
syscall boundary and read privileged memory by conducting targeted cache side-channel
attacks. ATTENTION: This is just a partial fix for Spectre attack. The other part
(CVE-2017-5753) and Meltdown is still relevant.'
cvelist: [CVE-2017-5753]
latest-version: 3.10.0-22-pve_3.10.0-52
rhel7:
CVE-2017-5753: 'An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a commonly used
performance optimization). There are three primary variants of the issue which
differ in the way the speculative execution can be exploited. Variant CVE-2017-5753
triggers the speculative execution by performing a bounds-check bypass. It relies
on the presence of a precisely-defined instruction sequence in the privileged
code as well as the fact that memory accesses may cause allocation into the microprocessor''s
data cache even for speculatively executed instructions that never actually commit
(retire). As a result, an unprivileged attacker could use this flaw to cross the
syscall boundary and read privileged memory by conducting targeted cache side-channel
attacks. ATTENTION: This is just a partial fix for Spectre attack. The other part
(CVE-2017-5753) and Meltdown is still relevant.'
cvelist: [CVE-2017-5753]
latest-version: 3.10.0-693.11.1.el7
CVE-2017-5753: 'An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a commonly used
performance optimization). There are three primary variants of the issue which
differ in the way the speculative execution can be exploited. Variant CVE-2017-5753
triggers the speculative execution by performing a bounds-check bypass. It relies
on the presence of a precisely-defined instruction sequence in the privileged
code as well as the fact that memory accesses may cause allocation into the microprocessor''s
data cache even for speculatively executed instructions that never actually commit
(retire). As a result, an unprivileged attacker could use this flaw to cross the
syscall boundary and read privileged memory by conducting targeted cache side-channel
attacks. ATTENTION: This is just a partial fix for Spectre attack. The other part
(CVE-2017-5753) and Meltdown is still relevant.'
cvelist: [CVE-2017-5753]
latest-version: 3.10.0-693.11.1.el7
pve-3.10:
CVE-2017-5753: 'An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a commonly used
performance optimization). There are three primary variants of the issue which
differ in the way the speculative execution can be exploited. Variant CVE-2017-5753
triggers the speculative execution by performing a bounds-check bypass. It relies
on the presence of a precisely-defined instruction sequence in the privileged
code as well as the fact that memory accesses may cause allocation into the microprocessor''s
data cache even for speculatively executed instructions that never actually commit
(retire). As a result, an unprivileged attacker could use this flaw to cross the
syscall boundary and read privileged memory by conducting targeted cache side-channel
attacks. ATTENTION: This is just a partial fix for Spectre attack. The other part
(CVE-2017-5753) and Meltdown is still relevant.'
cvelist: [CVE-2017-5753]
latest-version: 3.10.0-22-pve_3.10.0-52
rhel7:
CVE-2017-5753: 'An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of instructions (a commonly used
performance optimization). There are three primary variants of the issue which
differ in the way the speculative execution can be exploited. Variant CVE-2017-5753
triggers the speculative execution by performing a bounds-check bypass. It relies
on the presence of a precisely-defined instruction sequence in the privileged
code as well as the fact that memory accesses may cause allocation into the microprocessor''s
data cache even for speculatively executed instructions that never actually commit
(retire). As a result, an unprivileged attacker could use this flaw to cross the
syscall boundary and read privileged memory by conducting targeted cache side-channel
attacks. ATTENTION: This is just a partial fix for Spectre attack. The other part
(CVE-2017-5753) and Meltdown is still relevant.'
cvelist: [CVE-2017-5753]
latest-version: 3.10.0-693.11.1.el7
Regards,
Igor Seletskiy | CEO
CloudLinux OS | KernelCare | Imunify360
Get 24/7 free, exceptionally good support at cloudlinux.zendesk.com
Follow us on twitter for technical updates: @CloudLinuxOS
Reply all
Reply to author
Forward
0 new messages