[ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Derek Atkins
derek at ihtfp.com
Tue Jan 16 15:51:18 UTC 2018
Hi,
I upgraded to EL7.4 / oVirt 4.1.8 last night.
I must say it was easier than expected, so kudos to all the devs.
I did have a few hiccups along the way, mostly of my own making.
The one main hiccup is that the ovirt-40-dependencies package links to a
CentOS repo that no longer exists, and that caused lots of pain. I had to
manually disable two repos to get the upgrade to work.
Note: Nowhere in the docs does it say to remove the ovirt-release40
package, either before OR after the upgrade!
Having said that, my ovirt host now reports:
# bash spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux
3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES
> STATUS: NOT VULNERABLE (106 opcodes found, which is >= 70, heuristic
to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: YES
* The SPEC_CTRL CPUID feature bit is set: YES
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: YES
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Do I need to enabke IBRS for User space?
If so, how would that be done?
Thanks!
-derek
On Mon, January 15, 2018 1:10 pm, Yaniv Kaul wrote:
> On Mon, Jan 15, 2018 at 6:28 PM, Derek Atkins <derek at ihtfp.com> wrote:
>
>> Thanks.
>>
>> I guess it still boils down to updating to 7.4. :(
>>
>> In the short term, will Ovirt 4.0 continue to run in 7.4? Or MUST I
>>
>
> We don't know, but I would assume NO. Every minor release of EL required
> some small adjustments to expected and unexpected changes in the platform.
> We have worked with 4.1 to support 7.3 and then 7.4, I would not presume
> 4.0 works with it.
> Y.
>
>
>> upgrade both the OS and ovirt simultaneously? My time is very short
>> over
>> the next few weeks (I'm moving) so I'd like to get as much bang for the
>> buck with as little down time as possible. I can't spend 12 hours of my
>> time working to repair a botched upgrade from 4.0 to 4.1 or 4.2.
>>
>> Thanks again!
>>
>> -derek
>>
>> On Mon, January 15, 2018 11:05 am, Arman Khalatyan wrote:
>> > If you see that after the update of your OS dmesg shows RED alert in
>> > the spectra check script in the second position then you should follow
>> > the intel's read.me.
>> > As in readme described on Centos 7.4:
>> > rsync -Pa intel-ucode /lib/firmware/
>> > On the recent kernels(>2.6.xx) the dd method does not work, dont do
>> that.
>> > To confirm that microcode loaded:
>> > dmesg | grep micro
>> > look for the release dates.
>> > But I beleve that v4 should be already in the microcode_ctl package of
>> > the CentOS7.4 ( in my case 2650v2 was not inside, but the v3 and v4
>> > were there)
>> > I have a script to enable or disable the protection so you can see the
>> > performance impact on your case:
>> > https://arm2armcos.blogspot.de/2018/01/lustrefs-big-
>> performance-hit-on-lfs.html
>> >
>> >
>> >
>> > On Mon, Jan 15, 2018 at 4:28 PM, Derek Atkins <derek at ihtfp.com> wrote:
>> >> Arman,
>> >>
>> >> Thanks for the info... And sorry for taking so long to reply. It's
>> >> been a busy weekend.
>> >>
>> >> First, thank you for the links. Useful information.
>> >>
>> >> However, could you define "recent"? My system is from Q3 2016. Is
>> that
>> >> considered recent enough to not need a bios updte?
>> >>
>> >> My /proc/cpuinfo reports:
>> >> model name : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
>> >>
>> >> I downloaded the microcode.tgz file, which is dated Jan 8. I noticed
>> >> that the microcode_ctl package in my repo is dated Jan 4, which
>> implies
>> >> it probably does NOT contain the Jan 8 tgz from Intel. It LOOKS like
>> I
>> >> can just replace the intel-ucode files with those from the tgz, but
>> I'm
>> >> not sure what, if anything, I need to do with the microcode.dat file
>> in
>> >> the tgz?
>> >>
>> >> Thanks,
>> >>
>> >> -derek
>> >>
>> >> Arman Khalatyan <arm2arm at gmail.com> writes:
>> >>
>> >>> if you have recent supermicro you dont need to update the bios,
>> >>>
>> >>> Some tests:
>> >>> Crack test:
>> >>> https://github.com/IAIK/meltdown
>> >>>
>> >>> Check test:
>> >>> https://github.com/speed47/spectre-meltdown-checker
>> >>>
>> >>> the intel microcodes you can find here:
>> >>> https://downloadcenter.intel.com/download/27431/Linux-
>> Processor-Microcode-Data-File?product=41447
>> >>> good luck.
>> >>> Arman.
>> >>>
>> >>>
>> >>>
>> >>> On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <derek at ihtfp.com>
>> wrote:
>> >>>> Hi,
>> >>>>
>> >>>> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
>> >>>>
>> >>>>> No one likes downtime but I suspect this is one of those serious
>> >>>>> vulnerabilities that you really really must be protected against.
>> >>>>> That being said, before planning downtime, check your HW vendor
>> for
>> >>>>> firmware or Intel for microcode for the host first.
>> >>>>> Without it, there's not a lot of protection anyway.
>> >>>>> Note that there are 4 steps you need to take to be fully
>> protected:
>> >>>>> CPU,
>> >>>>> hypervisor, guests and guest CPU type - plan ahead!
>> >>>>> Y.
>> >>>>
>> >>>> Is there a HOW-To written up somewhere on this? ;)
>> >>>>
>> >>>> I built the hardware from scratch myself, so I can't go off to Dell
>> or
>> >>>> someone for this. So which do I need, motherboard firmware or
>> Intel
>> >>>> microcode? I suppose I need to go to the motherboard manufacturer
>> >>>> (Supermicro) to look for updated firmware? Do I also need to look
>> at
>> >>>> Intel? Is this either-or or a "both" situation? Of course I have
>> no
>> >>>> idea
>> >>>> how to reflash new firmware onto this motherboard -- I don't have
>> DOS.
>> >>>>
>> >>>> As you can see, planning I can do. Execution is more challenging
>> ;)
>> >>>>
>> >>>> Thanks!
>> >>>>
>> >>>>>> > Y.
>> >>>>
>> >>>> -derek
>> >>>>
>> >>>> --
>> >>>> Derek Atkins 617-623-3745
>> >>>> derek at ihtfp.com www.ihtfp.com
>> >>>> Computer and Internet Security Consultant
>> >>>>
>> >>>> _______________________________________________
>> >>>> Users mailing list
>> >>>> Users at ovirt.org
>> >>>> http://lists.ovirt.org/mailman/listinfo/users
>> >>>
>> >>>
>> >>
>> >> --
>> >> Derek Atkins 617-623-3745
>> >> derek at ihtfp.com www.ihtfp.com
>> >> Computer and Internet Security Consultant
>> >
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek at ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>>
>
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the Users
mailing list