[ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

[Yaniv Kaul]

On Thu, Jan 11, 2018 at 5:32 PM, Derek Atkins <derek at ihtfp.com> wrote:

> Hi,
>
> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
>
> > No one likes downtime but I suspect this is one of those serious
> > vulnerabilities that you really really must be protected against.
> > That being said, before planning downtime, check your HW vendor for
> > firmware or Intel for microcode for the host first.
> > Without it, there's not a lot of protection anyway.
> > Note that there are 4 steps you need to take to be fully protected: CPU,
> > hypervisor, guests and guest CPU type - plan ahead!
> > Y.
>
> Is there a HOW-To written up somewhere on this?  ;)
>

Not for oVirt specifically right now. We'll blog about it once we release
additional improvements to detect if you are protected - right from oVirt
UI (in 4.2.1).


>
> I built the hardware from scratch myself, so I can't go off to Dell or
> someone for this.  So which do I need, motherboard firmware or Intel
> microcode?  I suppose I need to go to the motherboard manufacturer
> (Supermicro) to look for updated firmware?  Do I also need to look at
> Intel?  Is this either-or or a "both" situation?  Of course I have no idea
> how to reflash new firmware onto this motherboard -- I don't have DOS.
>

You could get it from Intel, via their microcode_ctl package. When they
release for your CPU is a different manner.
See[1] for some good pointers.
Y.

[1]
https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre


>
> As you can see, planning I can do.  Execution is more challenging ;)
>
> Thanks!
>
> >> > Y.
>
> -derek
>
> --
>        Derek Atkins                 617-623-3745
>        derek at ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180111/b4cf655b/attachment.html>