Status of Meltdown / Spectre Patching

This page is now historical and contains information about the status of patching on SWITCHengines regarding the Meltdown / Spectre vulnerabilities in 2011

On our forum, we have a detailed explanation of the vulnerabilites and implications.

SWITCHengines Infrastructure

2017-01-11: As more and more information becomes available, and software patches are starting to roll out, we have been able to formulate a plan for the next steps in patching and securing the SWITCHengines infrastructure:
  • Uprading the Microcode of the Intel CPUs on our hypervisors
  • Upgrading the Linux Kernels (from the 4.4 to the 4.13 line to incorporate the newer KPTI fixes)
  • Patching the KVM / QEMU virtualisation software to incorporate the PCID flag for VMs (this should help with the expected slowdown following the patches)
 
We are currently building custom kernels and testing the whole package in our testing clusters. We expect to have the testing done by next week and will then start to gradually patch our production clusters.
We can live migrate most running VMs between the hypervisors, so there will be no interruption of services. For those VMs that can't be live migrated, we are coordinating with the owners to minimze the impact of stopping/starting the VMs during the upgrade of the hypervisor.
 
In order for your existing VMs to pick up the PCID flag there might be work to be done on your end (namely stopping and starting the VM). We are investigating if it's possible to make the flag available to the VM without this procedure. 
 

2018-01-09: KVM / QEMU (which we use as the basis for the virtualization in SWITCHengines) are not vulnerable to Meltdown / Spectre as far as we know today and it should therefore not be possible for a SWITCHengine VM to get access to data from other VMs running on the same hypervisor.

 

2018-01-08: We are currently testing new kernels for our hypervisors that patch against Meltdown. We are following up with our hardware vendors for new firmware that contain Microcode patches that will mitigate against the Spectre vulnerability. Our infrastructure contains servers and CPUs of different generations, so it might take some time, before we have upgraded our complete infrastructure.

Before we roll out new kernels to our hypervisors, we are waiting for officially supported kernels by our provider (Ubuntu). We expect them to arrive on 2018-01-09. We will then again test the kernels and start to upgrade our hypervisors. Running VMs will mostly not be affected, because we live migrate VMs between hypervisors. In rare circumstances we will have to reboot VMs. The number of VMs we have to migrate make it impractical to determine exact date/times when they will be migrated or rebooted. We will announce general time frames as soon as we know more.

SWITCHengines provided images

VMs running on SWITCHengines will also need to be patched to newer kernels and rebooted.VMs created from our images will apply security fixes automatically, however it is necessary to reboot them manually for the changes to take effect.

We are waiting for the official upstream releases and will update all images as they become available. Here is the current status (2018-01-08)

  • Debian Jessie - waiting for release, consider upgrading to Debian Stretch
  • Debian Stretch - patched, new images are being built and tested
  • Ubuntu Trusty (14.04) - waiting for release
  • Ubuntu Xenial (16.04) - waiting for release
  • CentOS 7.4 - waiting for release
  • Fedora 25 - EOL, consider updating to new release
  • Windows Server 2012 - waiting for release
  • RStudio Applicance - waiting for release