Meltdown and Spectre vulnerabilities
Yesterday, a team of security researchers announced two major security vulnerabilities that affect modern micro-processors, along with two exploitation techniques, named Meltdown and Spectre, that can compromise the security and privacy of many computer systems.
Gandi is monitoring the situation closely and we ask our customers to read about these vulnerabilities and take appropriate actions, namely by keeping their systems up-to-date in the wake of this announcement.
Gandi Hosting customers must take notice of the following details:
Simple Hosting (PaaS)
We are currently applying the necessary patches to our Simple Hosting platform and will be rebooting PaaS instances as we go.
All instances might go through a very short period of downtime during the reboots. This is necessary to ensure their security.
No further action will be required but we recommend that you look up more information concerning the web development tools and practices that you use.
We are closely monitoring Xen Security Advisory 254, as our Cloud platform uses the Xen hypervisor to power our virtual server offering. We will take appropriate action when more information becomes available and/or patches are released.
In the meantime, customers must take notice of the following information and take the recommended actions when appropriate:
1. GRUB and raw boot users (kernels “grub-i386 (xen)”, “grub-x86_64 (xen)” and “raw (xen)”) are advised to update their system’s kernel and stop/start their servers as soon as their distribution releases a patch. Please monitor the official website of each distribution for more information (see links below).
2. Hosted kernels (3.2-x86_64, 3.10-x86_64, 3.10-xfs-x86_64 and 3.18-x86_64) will not be patched. We strongly recommend, as we have been doing for the past several months, that you switch to the “grub” option and use the kernel provided by your system of choice. Check out our GRUB documentation and follow the steps we provide to make the switch.
3. We are patching the hypervisor that runs servers with HVM-labeled kernels. We will stop and start servers that are still using this deprecated kernel option as soon as we’re ready.
Additional links for supported distributions:
CentOS CVE patch status
- Meltdown: https://access.redhat.com/security/cve/CVE-2017-5754
- Spectre 1: https://access.redhat.com/security/cve/CVE-2017-5753
- Spectre 2: https://access.redhat.com/security/cve/CVE-2017-5715
Debian CVE patch status
- Meltdown: https://security-tracker.debian.org/tracker/CVE-2017-5754
- Spectre 1: https://security-tracker.debian.org/tracker/CVE-2017-5753
- Spectre 2: https://security-tracker.debian.org/tracker/CVE-2017-5715
Ubuntu CVE patch status
- Access https://people.canonical.com/~ubuntu-security/cve/main-released.html and search for the following keywords: “CVE-2017-5715”, “CVE-2017-5753” and “CVE-2017-5754”
FreeBSD CVE patch status
- The information will be made available at this URL: https://www.freebsd.org/security/advisories.html