Re: [ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
On Thu, Jan 11, 2018 at 5:32 PM, Derek Atkins <derek(a)ihtfp.com> wrote:
Hi,
On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
> No one likes downtime but I suspect this is one of those serious
> vulnerabilities that you really really must be protected against.
> That being said, before planning downtime, check your HW vendor for
> firmware or Intel for microcode for the host first.
> Without it, there's not a lot of protection anyway.
> Note that there are 4 steps you need to take to be fully protected: CPU,
> hypervisor, guests and guest CPU type - plan ahead!
> Y.
Is there a HOW-To written up somewhere on this? ;)
Not for oVirt specifically right now. We'll blog about it once we release
additional improvements to detect if you are protected - right from oVirt
UI (in 4.2.1).
I built the hardware from scratch myself, so I can't go off to Dell or
someone for this. So which do I need, motherboard firmware or Intel
microcode? I suppose I need to go to the motherboard manufacturer
(Supermicro) to look for updated firmware? Do I also need to look at
Intel? Is this either-or or a "both" situation? Of course I have no idea
how to reflash new firmware onto this motherboard -- I don't have DOS.
You could get it from Intel, via their microcode_ctl package. When they
release for your CPU is a different manner.
See[1] for some good pointers.
Y.
[1]
https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_an...
As you can see, planning I can do. Execution is more challenging ;)
Thanks!
>> > Y.
-derek
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
Attachments:
- attachment.html (text/html — 2.9 KB)