Spectre Variant 2(CVE-2017-5715) reported as vulnerable on Kernel ver. 3.10.0-862

Support for security such as Firewalls and securing linux
Post Reply
d3r3kdrumm0nd
Posts: 1
Joined: 2018/05/25 12:00:29

Spectre Variant 2(CVE-2017-5715) reported as vulnerable on Kernel ver. 3.10.0-862

Post by d3r3kdrumm0nd » 2018/05/25 12:44:01

This Spectre/Meltdown checker https://github.com/speed47/spectre-meltdown-checker is reporting that my CentOS 7 VM is vulnerable to Spectre variant 2 despite running Kernel 3.10.0-862 and having CVE-2017-5715, CVE-2017-5753, CVE-2017-5714 installed.

RedHat provides this script https://access.redhat.com/sites/default ... 23-1220.sh that also checks if a system is vulnerable to Spectre/Meltdown. In my case the RedHat script shows software mitigations have been installed but the microcode still needs to be installed. From what I know the kernel mitigations are not a perfect fix for variant 2 and the microcode updates are needed before a system is entirely secure.

I'm inclined to trust the Redhat script more but I'm curious to know if anyone else has seen this and what they did to secure to protect the VM entirely.

chemal
Posts: 427
Joined: 2013/12/08 19:44:49

Re: Spectre Variant 2(CVE-2017-5715) reported as vulnerable on Kernel ver. 3.10.0-862

Post by chemal » 2018/05/25 19:36:36

You need updated microcode on the host. If you have that, then for KVM you select one of the new CPU models, e.g. Skylake-Client-IBRS if it was Skylake-Client before. This makes the new CPU features available to the guest.

Code: Select all

Note about virtualization
In virtualized environment, there are more steps to mitigate the issue, including:
* Host needs to have updated kernel and CPU microcode
* Host needs to have updated virtualization software
* Guest needs to have updated kernel
* Hypervisor needs to propagate new CPU features correctly
For more details about mitigations in virtualized environment see:
https://access.redhat.com/articles/3331571

Post Reply