CloudLinux OS Blog - СloudLinux 7 and CloudLinux 6 Hybrid kernel is available with a fix for MDS vulnerability
CloudLinux OS Blog
Font size: +
Subscribe to this entry Unsubscribe
Print

СloudLinux 7 and CloudLinux 6 Hybrid kernel is available with a fix for MDS vulnerability

CloudLinux OS Blog
2231 Hits
8 Comments
MDS-fixed

CloudLinux 7 and CloudLinux 6 Hybrid kernel version 3.10.0-962.3.2.lve1.5.25.8 with a fix for MDS vulnerability is now available for download from our production repository.

Changelog:

1.5.25.7

  • CLKRN-446: backport 3.18 stable fixes to CloudLinux 7;
  • CLKRN-417: enable KABI check;
  • CLKRN-424: IOPS limits support for the noop IO scheduler;
  • CLKRN-421: fixed ext4 RO remounts;
  • CLKRN-450: xfs: avoid invalid null-pointer dereference;
  • CLKRN-147: fixed ub0 beancounter file lock charge/uncharge balance.

1.5.25.8

  • CLKRN-457: fix KABI breakage;
  • CLKRN-458: x86 MDS mitigations:
    • CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling;
    • CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling;
    • CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling;
    • CVE-2019-11091 MDSUM Microarchitectural Data Sampling Uncacheable Memory.

To update a kernel, please use the following command.

CloudLinux 7:

yum upgrade microcode_ctl && yum install kernel-3.10.0-962.3.2.lve1.5.25.8.el7

CloudLinux 6 Hybrid:

yum upgrade microcode_ctl && yum install kernel-3.10.0-962.3.2.lve1.5.25.8.el6h

Mitigation: kernel with MDS patches + microcode + disable Hyper-Threading

In multi-tenant systems where the Host has Hyper-Threading disabled, different guests should not have access to threads on the same core and should not be vulnerable. Host performance and overall availability of resources will be impacted.

In multi-tenant systems where the Host has Hyper-Threading enabled and the hypervisor is vulnerable, guests will also be vulnerable if they have Hyper-Threading disabled or not.

In multi-tenant systems where the Host has Hyper-Threading enabled and the Hypervisor is not vulnerable, guests should consider disabling Hyper-Threading to protect themselves.

Diagnose your vulnerability

Apply the patches and perform vulnerability diagnostic by running one of the following commands:

# dmesg | grep “MDS:”

OR

# cat /sys/devices/system/cpu/vulnerabilities/mds

The possible values in this file are:

  • Not affected – the processor is not vulnerable
  • Vulnerable – the processor is vulnerable, but no mitigation enabled
  • Vulnerable: Clear CPU buffers attempted – the processor is vulnerable but microcode is not updated; the mitigation is enabled on a best effort basis
  • Mitigation: CPU buffer clear – the processor is vulnerable and the CPU buffer clearing mitigation is enabled
Tweet
0
Tags:
hybrid kernel-cl6 kernel-cl7 MDS
CloudLinux 6 kernel is available with a fix for MD...
Beta: distributed replicated block device kernel m...

About the author

Inessa Atmachian

Inessa Atmachian

Inessa Atmachian is a Technical Writer at CloudLinux. She is responsible for developing technical product documentation for CloudLinux OS, KernelCare, and Imunify360 products. She provides customers with release notes and information on product updates. For the past 10 years, before joining CloudLinux, Inessa has been writing and translating technical documents for various companies making documentation easy to read, and customer communication clear and informative.

Author's recent posts
More posts from author
 

Comments 8

Guest
Guest - laoubi mohamed on Saturday, 18 May 2019 00:39

hello sir

does kernelcar support updating?

Cancel Reply
hello sir does kernelcar support updating?
Cancel Update Comment
Guest
Guest - AC on Saturday, 18 May 2019 02:40

[[email protected]~]# cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable

Do I need to disable SMT?

Cancel Reply
[[email protected]~]# cat /sys/devices/system/cpu/vulnerabilities/mds Mitigation: Clear CPU buffers; SMT vulnerable Do I need to disable SMT?
Cancel Update Comment
Ivan Zhmud
Ivan Zhmud on Saturday, 18 May 2019 11:01

Laoubi Mohamed hello!

More information related KernelCare updating you can find in the latest blog post of KC team
here https://www.kernelcare.com/zombieload/

Cancel Reply
Laoubi Mohamed hello! More information related KernelCare updating you can find in the latest blog post of KC team here https://www.kernelcare.com/zombieload/
Cancel Update Comment
Ivan Zhmud
Ivan Zhmud on Saturday, 18 May 2019 11:17

Hello AC!
After updating you kernel it's not necessary but recommended. CPU bug allows to read data between CPU threads.
Therefore switched-on HT for VM is an additional possibility to attack an application on different VM’s.

Cancel Reply
Hello AC! After updating you kernel it's not necessary but recommended. CPU bug allows to read data between CPU threads. Therefore switched-on HT for VM is an additional possibility to attack an application on different VM’s.
Cancel Update Comment
Guest
Guest - Snek on Monday, 20 May 2019 22:32

I do not see anything on both commands:
[email protected] [~]# dmesg | grep “MDS:”
[email protected] [~]# cat /sys/devices/system/cpu/vulnerabilities/mds
cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory

But we use kernelcare aswell, so it's not needed to update microcode?

Cancel Reply
I do not see anything on both commands: [email protected] [~]# dmesg | grep “MDS:” [email protected] [~]# cat /sys/devices/system/cpu/vulnerabilities/mds cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory But we use kernelcare aswell, so it's not needed to update microcode?
Cancel Update Comment
Inessa Atmachian
Inessa Atmachian on Tuesday, 21 May 2019 08:37

Hi Snek,

Most likely you have a kernel version less than 3.10.0-962.3.2.lve1.5.25.8.el7 because it is in this version the checker has appeared. You can update your kernel till the current version specified in the post and run the check again.

Cancel Reply
Hi Snek, Most likely you have a kernel version less than 3.10.0-962.3.2.lve1.5.25.8.el7 because it is in this version the checker has appeared. You can update your kernel till the current version specified in the post and run the check again.
Cancel Update Comment
Inessa Atmachian
Inessa Atmachian on Tuesday, 21 May 2019 09:23

You can also track all KernelCare updates regarding MDS here: https://www.kernelcare.com/zombieload/

Cancel Reply
You can also track all KernelCare updates regarding MDS here: https://www.kernelcare.com/zombieload/
Cancel Update Comment
Inessa Atmachian
Inessa Atmachian on Tuesday, 21 May 2019 11:03

Snek,
If you have KernelCare, you should update microcode as well.

Cancel Reply
Snek, If you have KernelCare, you should update microcode as well.
Cancel Update Comment
Already Registered? Login Here
Guest
Saturday, 24 August 2019

Captcha Image

Stay in touch

CloudLinux Facebook Facebook 9K+ followers CloudLinux Twitter Twitter 10K+ followers CloudLinux YouTube Channel YouTube official channel CloudLinux on LinkedIn LinkedIn Follow us

Products
Success Stories
Partners
Support
About Us

© 2019 All rights reserved. CloudLinux Inc.
Terms of Use | Privacy Policy | Vulnerability Reporting | Legal 

enru

Call Sales at +1 (800) 231-7307

Email [email protected]