CloudLinux OS Blog - CloudLinux 6 kernel is available with a fix for MDS vulnerability
CloudLinux OS Blog

CloudLinux 6 kernel is available with a fix for MDS vulnerability

MDS-fixed

CloudLinux 6 kernel version 2.6.32-954.3.5.lve1.4.64 with a fix for MDS vulnerability is now available for download from our production repository.

Changelog:

  • CKSIX-218: x86 MDS mitigations::
    • CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling;
    • CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling;
    • CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling;
    • CVE-2019-11091 MDSUM Microarchitectural Data Sampling Uncacheable Memory.

To update a kernel, please use the following command.

CloudLinux 6:

yum upgrade microcode_ctl && yum install kernel-2.6.32-954.3.5.lve1.4.64.el6

Mitigation: kernel with MDS patches + microcode + disable Hyper-Threading

In multi-tenant systems where the Host has Hyper-Threading disabled, different guests should not have access to threads on the same core and should not be vulnerable. Host performance and overall availability of resources will be impacted.

In multi-tenant systems where the Host has Hyper-Threading enabled and the hypervisor is vulnerable, guests will also be vulnerable if they have Hyper-Threading disabled or not.

In multi-tenant systems where the Host has Hyper-Threading enabled and the Hypervisor is not vulnerable, guests should consider disabling Hyper-Threading to protect themselves.

Diagnose your vulnerability

Apply the patches and perform vulnerability diagnostic by running one of the following commands:

# dmesg | grep “MDS:”

OR

# cat /sys/devices/system/cpu/vulnerabilities/mds

The possible values in this file are:

  • Not affected – the processor is not vulnerable
  • Vulnerable – the processor is vulnerable, but no mitigation enabled
  • Vulnerable: Clear CPU buffers attempted – the processor is vulnerable but microcode is not updated; the mitigation is enabled on a best effort basis
  • Mitigation: CPU buffer clear – the processor is vulnerable and the CPU buffer clearing mitigation is enabled
 

More information related MDS you can find in the latest blog post from KernelCare team

Microcode_ctl updated
СloudLinux 7 and CloudLinux 6 Hybrid kernel is ava...
 

Comments 2

Guest - Deyan on Monday, 20 May 2019 22:56

Hello,

Can you please tell me why you do not suggest to install or upgrade microcode_ctl package with CL6 kernel, like you do with CL7 kernel?

Is there a good reason for that or you just forgot to add that in install instructions for CL6...?

Hello, Can you please tell me why you do not suggest to install or upgrade microcode_ctl package with CL6 kernel, like you do with CL7 kernel? Is there a good reason for that or you just forgot to add that in install instructions for CL6...?
Inessa Atmachian on Tuesday, 21 May 2019 08:54

Hello Deyan,

Frankly speaking, we missed the microcode_ctl in our update command. Sorry for that — MDS vulnerability made too much noise.

For now, I’ve updated the update command.

Thank you for your attention and being involved and again, please take our apologies.

Hello Deyan, Frankly speaking, we missed the microcode_ctl in our update command. Sorry for that — MDS vulnerability made too much noise. For now, I’ve updated the update command. Thank you for your attention and being involved and again, please take our apologies.
Already Registered? Login Here
Guest
Monday, 26 August 2019

Captcha Image