TPS-2018-004 Intel Security Findings "Meltdown" and "Spectre"

Overview

This notice is to advise Joyent customers of the potential security vulnerabilities surrounding Intel hardware, known as Spectre and Meltdown:

  • CVE-2017-5753
  • CVE-2017-5715
  • CVE-2017-5754

Description

Details surrounding Intel’s findings regarding Spectre and Meltdown can be reviewed here. Additional information can be reviewed here and here.

Actions Taken by Joyent

Joyent has created a new Platform Image (PI) containing KPTI (Kernel Page Table Isolation) and PCID (Process Context Identifier). We are in the process of applying this PI across the Triton Cloud (public cloud). Please note that this update requires a reboot of the underlying physical servers.

For users running Ubuntu-certified KVM, images containing the fix are available; please see the “Actions You Need to Take” section below for more information.

New KVM images of other types are actively being worked on. We will update this notice when those new images become available.

Further updates will continue to be posted in this advisory.

Actions You Need to Take

Triton Enterprise Software Users

Apply the fix containing KPTI and PCID by updating your current Platform Image (PI) to the next available release, using the following command on the support channel:

sdcadm platform install --latest

Triton Public Cloud Users

For users running Docker or infrastructure containers (container-native Linux or SmartOS), there is no action required on your end at this time. Joyent has provided a fix in the form of a PI, as mentioned above.

To move to the new Ubuntu-certified image release, you will need to provision a new instance using that image. You can learn more about the Ubuntu-certified images that are available here.

For remedial actions on KVM Linux/Windows containers, please check the notices applicable to the distro you are using:

  • Debian
  • Alpine Linux
  • FreeBSD
  • Windows

Debian and Ubuntu users can update images with the following commands:

sudo apt-get update
sudo apt-get dist-upgrade

CentOS users can update images using the following:

sudo yum update

For all other distros, please consult with the specific OS provider for best practices around updating and patching.

Note: All distros will require a reboot after being updated.

Open Source Triton Users

Download and run a Platform Image (PI) built after 2018-03-15, which will include the KPTI (Kernel Page Table Isolation) and PCID (Process Context Identifier).

Additional questions can be directed to The SmartOS Community Mailing Lists and IRC.

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

As noted above, if you are an Open Source Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.