Documentation OVH

Information about Meltdown and Spectre vulnerability fixes

Last update 22. May.  at 7.25am CET

(this table reflects the situation at a given moment and is constantly evolving.)


Introduction

As we communicated, OVH has been informed of the Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) security vulnerabilities, making a large part of computer equipment in operation vulnerable to potential attacks, particularly those equipped with Intel CPUs.

 Our technical teams are currently continuing to work on securing OVH infrastructures in order to minimize the exposure of your services to these vulnerabilities. 

 Restarting of some services has already begun, so that we can apply the first tested and approved stability patches to our systems, both in the operating systems of the machines and their kernel as well as in the microcode.

 

 What should you do?

 Some services, which are entirely managed by OVH, will not require any manipulation on your part: Domains, Metrics and Logs Data Platform, xDSL, VoIP, DBaaS, OVH Load Balancer, vRack, Exchange, MX Plan, Web Hosting, Cloud Desktop, VDI, CDN, Swift, CEPH, NAS-HA, Public Cloud Storage and Public Cloud Archive.

 OVH is working to secure the infrastructures concerned, applying the patches provided by the operating system and motherboard vendors as they become available. Some operations require a reboot of the machine, which could cause an interruption of service for a short time.

 Securing certain other services such as dedicated servers, Public Cloud instances, VPS or Private Cloud will require additional action on your part, consisting of applying the recommended update of the operating system vendor of your servers.

Here is :

  1. General information about these vulnerabilities ;
  2. A detailled list of all OVH products and all actions in progress and/or actions you need to do (please read carefully this section)

  To help you, we also offer you a non-exhaustive table listing the updates available for the main versions of the operating systems. 

 

General informartion

 

 

Spectre - Variant 1

***

Bounds Check Bypass

(CVE-2017-5753)

Spectre - Variant 2

***

Branch Target Injection

(CVE-2017-5715)

Meltdown

***

Rogue Data Cache Load

Meltdown

(CVE-2017-5754)

Linux

Status : DONE


Most distributions have recompiled their Kernel using LFENCE instruction.


Softwares need to be recompiled with a patched compiler using LFENCE instruction to stop speculation.

Mitigation 1: IN PROGRESS


Two conditions to be protected, A and B:

A) boot the OS with the new microcodes to activate new flags in CPU (the SPEC_CTRL and PRED_CMD MSRs). Two ways to do this:

Option.1) charge microcode after BIOS and at the very beginning of kernel boot. The new microcode has to be loaded to the CPU each time the OS starts.

 Option.2) upgrade BIOS, so BIOS will load new microcode in CPU, before the OS boot phase. Once the BIOS is upgraded, the system will load with new microcode automatically.

IN PROGRESS OVH already released any microcode and BIOS that vendors provided.

B) Install a kernel that is integrating the new IBRS and IBPB patches that are using the new CPU MSR, made available by the microcode update in A) to successfully mitigate the vulnerability.



On Linux, those patches have been integrated in latest kernels (4.14.14 as well as 4.9.77), and they have been compiled with a GCC with retpoline support. DONE

 

Openstack KVM/Qemu:
https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg00692.html
KVM patches
show to guests the new capabilities of the host CPU from the new microcode. Then, with a patched guest kernel (same as point B) above), the guest will be able to protect himself.

 


Mitigation 2: DONE

Patch compilers to avoid any indirect jump and use a static trampoline (aka retpoline) gcc have a pending patch to introduce this feature. But if you recompile the kernel with this, it'll fix only the kernel itself. If the kernel is fixed, you'll not be able to read kernel memory, but you'll still be able to read other process memory. All software have to be recompiled with mitigation to be secured.

https://lkml.org/lkml/2018/1/3/780

https://googleprojectzero.blogspot.fr/2018/01/reading-privileged-memory-with-side.html

GCC patches for retpoline: http://git.infradead.org/users/dwmw2/gcc-retpoline.git/shortlog/refs/heads/gcc-7_2_0-retpoline-20171219

Status: DONE


Kernel patch to isolate kernel space and user space (aka KPTI).


It is available in kernel vanilla 4.14.11+, 4.9.75+, 4.4.110+


Linux distributions are backporting the patches themselves in their own kernel versions, refer to our list of patches available per distribution for more information.

Windows

Status: DONE


Softwares need to be recompiled with a patched compiler using LFENCE instruction to stop speculation.

Two conditions to be protected, A and B:

 

A) boot the OS with the new microcodes to activate new flags in CPU (the SPEC_CTRL and PRED_CMD MSRs), there are 2 ways to do this:

A.Option.1) charge microcode after BIOS and at the very beginning of kernel boot. In progress with Windows.

A.Option.2) upgrade BIOS, so BIOS will load new microcode in CPU, before the OS boot phase. Once the BIOS is upgraded, the system will load with new microcode automatically. Works with all OS.

IN PROGRESS OVH already released any microcode and BIOS that vendors provided.

 

B) Install the latest Windows security updates that integrates the patches that are using the new CPU MSR, made available by the microcode update in A) to successfully mitigate the vulnerability. Note that you must also have a compatible Antivirus for this security install to be available, refer to the OS matrix for details.

Status: DONE refer to the OS matrix for details

 

 Status: DONE

BSD

 

 

 

Status per OVH services and products

 

SERVICE
PRODUCT
 

WHAT HAS TO BE DONE By Who ?

Spectre - Variant 1

***

Bounds Check Bypass

(CVE-2017-5753)

Spectre - Variant 2

***

Branch Target Injection

(CVE-2017-5715)

Meltdown

***

Rogue Data Cache Load

Meltdown

(CVE-2017-5754)

Cloud IaaS

Dedicated Server

(aka Baremetal)

KS, SYS, SP, MG, EG, HG, FS, GAME Service update (OVH side)

Status: PROTECTABLE 

Status: IN PROGRESS

Linux:

  • deploying intel microcode in netboot and disk boot via initramfs/OVH KernelDONE
  • deploying intel microcode in via UEFIDONE
  • deploying microcode on disk boot  (3rd-party Kernels and distributor-supplied microcodes) DONE
  • waiting for updated AMD microcodes WAIT
  • waiting for Kernel + GCC with the patch to use the new flags in CPU DONE

Windows:

  • testing UEFI+microcode+windows DONE
  • deploying received BIOS per MB IN PROGRESS

Status: PROTECTABLE 

 

Linux : 4.14.14 and 4.9.77 are available via Netboot

Windows: Microsoft proposes the patch.

Cloud IaaS

Dedicated Server

(aka Baremetal)
KS, SYS, SP, MG, EG, HG, FS, GAME

OS Update (Customer action needed)

Linux: PROTECTABLE 

 

Windows: PROTECTABLE

Clic here for more information

Linux:  PROTECTABLE

 

Windows: PROTECTABLE

Clic here for more information

Linux: PROTECTABLE

Linux : 4.14.14 and 4.9.77 are available via Netboot : please update your kenel or use Netboot

 

Windows: PROTECTABLE

Clic here for more information

 

Cloud IaaS

Public Cloud

(aka PCI)

OpenStack KVM

Service update (OVH side)

OS: PROTECTED

 

VM to KVM: PROTECTED (variant 1 doesn't cross VM boundaries)


VM to VM: PROTECTED (variant 1 doesn't cross VM boundaries)

Microcode: IN PROGRESS

OS: DONE

VM to KVM: PROTECTED

 

VM to VM: PROTECTED

 

MSR exposed to VM: DONE update from KVM

PROTECTED KVM is not impacted. 

Cloud IaaS

Public Cloud

(aka PCI)
OpenStack KVM

VM's OS update

(Customer action needed)

 

Linux: PROTECTABLE

 

Windows: PROTECTABLE

Clic here for more information

Linux: PROTECTABLE

 

Windows: PROTECTABLE

Clic here for more information

PROTECTED KVM is not impacted.

Cloud IaaS VPS 2014 powered by pCC

Service update (OVH side)

OS: IN PROGRESS

 

VM to ESXi: PROTECTED (variant 1 doesn't cross VM boundaries)


VM to VM: PROTECTED (variant 1 doesn't cross VM boundaries)

OS: PROTECTED

 

VM to ESXi: PROTECTED

 

VM to VM: PROTECTED

OS: PROTECTED

 

VM to ESXi: PROTECTED

 

VM to VM: PROTECTED

Cloud IaaS VPS 2014 powered by pCC CUSTOMER

Managed by OVH (line above)

Managed by OVH (line above)

Managed by OVH (line above)

 

Cloud IaaS VPS 2016 powered by pCI

Service update (OVH side)

OS: IN PROGRESS

 

VM to KVM: PROTECTED (variant 1 doesn't cross VM boundaries)


VM to VM: PROTECTED (variant 1 doesn't cross VM boundaries)

Microcode: IN PROGRESS

OS: DONE

VM to KVM: WAIT Cloud-IaaS/Baremetal

VM to VM: WAIT Cloud-IaaS/Baremetal

 

MSR exposed to VM: DONE update from KVM

PROTECTED KVM is not impacted.  

Cloud IaaS VPS 2016 powered by pCI

VM's OS update

(Customer action needed)

Linux: PROTECTABLE

 

Windows: PROTECTABLE

Clic here for more information

Linux: PROTECTABLE

 

Windows: PROTECTABLE

Clic here for more information

Linux: PROTECTABLE

 

Windows: PROTECTABLE

Clic here for more information

Cloud IaaS

Private Cloud

(aka PCC)

vSphere 4.1/5.0/5.1/5.5 Service (OVH/CUSTOMER)

IN PROGRESS

There is no patch to protect vSphere 4.1/5.0/5.1, OVH advices the customer to upgrade pCC to vSphere 6.0/6.5. It's free.

vSphere 5.5 is vulnerable, waiting for VMware to patch. No ETA.

There is no patch to protect vSphere 4.1/5.0/5.1, Ovh advices the customer to upgrade pCC to vSphere 6.0/6.5. It's free.

vSphere 5.5 : IN PROGRESS

There is no patch to protect vSphere 4.0/4.1/5.0/5.1/5.5, Ovh advices the customer to upgrade pCC to vSphere 6.0/6.5. It's free.

VMware can propose the patch for vSphere 5.5. No ETA.

Cloud IaaS

Private Cloud based on AMD hosts

(aka PCC)

 

vSphere 6.0/6.5

Service update (OVH side)

All host : 95% patched

OS: PROTECTED

 

VM to KVM: IN PROGRESS 

VM to VM: IN PROGRESS 

 

OS: PROTECTED

 

VM to ESXi: IN PROGRESS

VM to VM: IN PROGRESS

PROTECTED AMD is not vulnerable (AMD statement URL)

Cloud IaaS

Private Cloud based on AMD hosts

(aka PCC)
vSphere 6.0/6.5

VM's OS update

(Customer action needed)

Linux: PROTECTABLE Cloud-IaaS/Baremetal

 

Windows: PROTECTABLE

Clic here for more information

Linux: PROTECTABLE Cloud-IaaS/Baremetal

 

Windows: PROTECTABLE 

Clic here for more information

 

PROTECTED AMD is not vulnerable (AMD statement URL)

Cloud IaaS

Private Cloud based on Intel hosts

(aka PCC)
vSphere 6.0/6.5

Service update (OVH side)

http://travaux.ovh.net/?do=details&id=29250

All host : 95% patched

OS: PROTECTED

 

VM to ESXi: IN PROGRESS

VM to VM: IN PROGRESS

OS: PROTECTED

 

VM to ESXi: IN PROGRESS

VM to VM: IN PROGRESS

 

MSR exposed to VM: WAIT update from VMware

OS: PROTECTED

 

VM to ESXi: PROTECTED

 

VM to VM: PROTECTED

 

Cloud IaaS

Private Cloud based on Intel hosts

(aka PCC)
vSphere 6.0/6.5

VM's OS update

(Customer action needed)

Linux: PROTECTABLE Cloud-IaaS/Baremetal

 

Windows: PROTECTABLE

Clic here for more information

Linux: PROTECTABLE Cloud-IaaS/Baremetal

 

Windows: PROTECTABLE

Clic here for more information

Linux: PROTECTABLE

 

Windows: PROTECTABLE

Clic here for more information

Cloud IaaS

Cloud Desktop aaS

(aka VDI)

Horizon 7 aaS

Service update (OVH side)

http://travaux.ovh.net/?do=details&id=29251

 

OS: PROTECTED

 

VDI to ESXi: PROTECTED

 

VDI to VDI: PROTECTED

OS: PROTECTED

 

VDI to ESXi: IN PROGRESS

 

VDI to VDI: PROTECTED

 

MSR exposed to VDI: WAIT update from VMware

OS: PROTECTED

 

VDI to ESXi: PROTECTED

 

VDI to VDI:PROTECTED

 

Cloud IaaS

Cloud Desktop aaS

(aka VDI)

Horizon 7 aaS CUSTOMER Managed by OVH (see line above) Managed by OVH (see line above) Managed by OVH (see line above)
Cloud IaaS Private Cloud Desktop Horizon 7 over pCC

Service update (OVH side)

http://travaux.ovh.net/?do=details&id=29250

OS: PROTECTED

 

VDI to ESXi: PROTECTED

 

VDI to VDI: PROTECTED

OS: PROTECTED

 

VDI to ESXi: IN PROGRESS

 

VDI to VDI: PROTECTED 

 

MSR exposed to VDI: WAIT update from VMware

OS: PROTECTED

 

VDI to ESXi: IN PROGRESS

 

VDI to VDI:PROTECTED

 

Cloud IaaS Private Cloud Desktop Horizon 7 over pCC CUSTOMER Managed by OVH (see line above) Managed by OVH (see line above) Managed by OVH (see line above)
Cloud IaaS CaaS Container aaS / Mesos / Docker Service update (OVH side)

Linux: WAIT Cloud-IaaS/Baremetal

Linux: WAIT Cloud-IaaS/Baremetal

Status: DONE

Cloud IaaS CaaS Container aaS / Mesos / Docker CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud storage

Object Storage

(aka PCS)

Openstack Swift Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED 

Status: NOT EXPOSED

Cloud storage

Object Storage

(aka PCS)
Openstack Swift CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud storage Block Storage Ceph Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud storage Block Storage Ceph CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud storage NAS NFS/ZFS Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud storage NAS NFS/ZFS CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud storage vRack (L2)   Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud storage vRack (L2)   CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud network IP LB   Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud network IP LB   CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud network vRouter   Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud network vRouter   CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud network Dedicated Connect (L2)   Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud network Dedicated Connect (L2)   CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud network vRack Connect (L3)   Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud network vRack Connect (L3)   CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud PaaS DBaaS MySQL Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud PaaS DBaaS MySQL CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud PaaS DBaaS PgSQL Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud PaaS DBaaS PgSQL CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud PaaS DataPlateform Metric Warp10, OpenTSDB, Prometheus, InfluxDB Graphite Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud PaaS DataPlateform Metric Warp10, OpenTSDB, Prometheus, InfluxDB Graphite CUSTOMER Nothing to do Nothing to do Nothing to do
Cloud PaaS DataPlateform Logs Elastic Search Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Cloud PaaS DataPlateform Logs Elastic Search CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom Domain Name DNS Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Web and Telecom Domain Name DNS CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom Domain Name AnyCast Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Web and Telecom Domain Name AnyCast CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom

Web Hosting

(aka Shared Hosting)

LXC

Service update (OVH side)

http://travaux.ovh.net/?do=details&id=29245

Status: DONE

Status: DONE

Linux:  PROTECTED

Web and Telecom

Web Hosting

(aka Shared Hosting)

LXC CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom Email Mxplan Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Web and Telecom Email Mxplan CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom Email Exchange Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

 

Windows:  PROTECTED

Clic here for more information

Web and Telecom Email Exchange CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom Collaborative Tools Sharepoint / OneDrive Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

 

Windows:  PROTECTED

Clic here for more information

Web and Telecom Collaborative Tools Sharepoint / OneDrive CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom xDSL ADSL, SDSL, VDSL Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Web and Telecom xDSL ADSL, SDSL, VDSL CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom xDSL OTB Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Web and Telecom xDSL OTB CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom VoIP SIP Softphone Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Web and Telecom VoIP SIP Softphone CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom VoIP SIP/MGCP Hardphone Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Web and Telecom VoIP SIP/MGCP Hardphone CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom SMS/FAX   Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Web and Telecom SMS/FAX   CUSTOMER Nothing to do Nothing to do Nothing to do
Web and Telecom hubiC Based on PCS Service update (OVH side)

Status: NOT EXPOSED

Status: NOT EXPOSED

Status: NOT EXPOSED

Web and Telecom hubiC frontend, apps, desktop CUSTOMER Nothing to do Nothing to do Nothing to do

Ces guides pourraient également vous intéresser...