Sales
0161 215 3700
0800 458 4545
Support
0800 230 0032
0161 215 3711
Fast Chat

Spectre and Meltdown Updates

5 January 2018 by Al McCloud

Updates

10 January

McAfee has included a method for auto deployment for the registry key change, which will allow the patch to be received through automatic Windows updates. For more information visit the McAfee website.

11 January

UKFast customers with a Physical Business Continuity Platform (BCP) Linux solution will need to have their reboots performed manually by the UKFast support team.

UKFast Windows Server clients using McAfee do not have to make changes to the registry to fix meltdown vulnerabilities, UKFast are in the process of rolling out these updates

12 January

New patches have been added for Debian and Ubuntu. See patch list below.

The eCloud control panel will be briefly disabled while we carry out patching work. We apologise for any inconvenience.

13 January

eCloud public has now been patched at a VMware level and is protected. See patch list below.

18 January

VMware have pulled their patches and and updated their knowledge base. The company is delaying new releases of microcode updates while it works with Intel to resolve microcode patch issues as quickly as possible.

What is the vulnerability?

Two connected processor vulnerabilities were recently announced named Meltdown and Spectre.

Every system is potentially affected, from consumer tech to cloud infrastructure.

Meltdown is a hardware vulnerability which allows for unauthorised access to privileged memory. The fix requires moving the kernel to a separate virtual address space from user processes. It affects Intel processors.

Patches are being released periodically for this issue. These can be found below.

It is commonly paired with the Spectre vulnerability, which affects a large range of x86 processors including Intel, AMD, and ARM.


What is being done?

Our experts are working on updates which should cause minimal disruption to normal services.

Software specific updates are as follows:

 Linux

All the major Linux distributions have patches available below. You can run an update through your package manager and restart your server to install the patch.

UKFast customers with a Physical Business Continuity Platform (BCP) Linux solution will need to have their reboots performed manually by the UKFast support team. This is due to additional modules that need to be installed after the reboot takes place and could lead to instability on the platform. We are contacting our customers to arrange an appropriate time for this to take place.

Windows

Windows Meltdown Flow Chart

Windows Meltdown Flow Chart

Windows Server patches are available below. You can manually install these updates now by following instructions on UKFast Docs: Windows server client guide, or wait for the next update.

If you plan to manually install the patch, please be aware that there are known compatibility problems with some anti-virus vendors. You can check with your anti-virus provider and with Microsoft, which has provided further information about compatibility on its own support pages.

If you find that your anti-virus provider is not compatible with the patch, it will not be available to download from automatic updates, and will not automatically install during the next update. Please contact your anti-virus product vendor for more information.

UKFast Windows Server clients using McAfee do not have to make changes to the registry to fix meltdown vulnerabilities, UKFast are in the process of rolling out these updates.  This means that clients following our update schedule and with no anti-virus installed or McAfee Anti-Virus installed will get the patches through an automatic update.

Installing the patch isn’t enough to enabled mitigation from the meltdown vulnerability and Microsoft require two registry keys to be changed, after the update is installed. We are working on automating this, so it can be scheduled through the my.ukfast.co.uk site, along with the required reboot.

For our clients using McAfee Anti-Virus, if you plan to use the Windows automatic update method and do not see the patches available, McAfee have published an article which explains how to ensure that this patch is available. McAfee is evaluating ways of making the registry key changes automatically, so if you aren’t comfortable making registry changes, it may be worth waiting until McAfee have another update.

VMWare

VMware products are not vulnerable to Meltdown.

VMware has released a security advisory with regard to the Spectre vulnerability. You can find documentation about these updates here:

VMware ESXi 6.5

VMware ESXi 6.0

VMware ESXi 5.5

Cisco

Cisco has stated that the majority of their products are closed systems and do not allow customers to run custom code so are not vulnerable.

Even so, the company is currently investigating its products which could be vulnerable: Cisco ASR 1000 Series, 5000 Series Switches, 7000 Series Switches, 9000 Series Switches and UCS B-Series

There is more information from their security center

Are my own devices at risk?

Potentially all devices are at a risk, and our advice is to periodically check for updates from your manufacturer and install as soon as possible. Over the coming weeks all vendors, developers and manufacturers should be issuing updates to protect your devices from any issues.

Patch Releases (last updated 12/01/2018 09:29 AM)

We will add links to new patches as soon as they are available.

RHEL 5: pending

RHEL 6: kernel-2.6.32-696.18.7.el6

RHEL 7: kernel-3.10.0-693.11.6.el7

CentOS 5: pending

CentOS 6: kernel-2.6.32-696.18.7.el6

CentOS 7: kernel-3.10.0-693.11.6.el7

Debian 6 Squeeze: not expected

Debian 7 Wheezy: 3.2.96-3

Debian 8 Jessie: 3.16.51-3+deb8u1

Debian 9 Stretch: 4.9.65-3+deb9u2

Ubuntu 12.04: not expected

Ubuntu 14.04: 3.13.0.139.148

Ubuntu 16.04: 4.4.0.108.113

Windows Server 2008: not expected

Windows Server 2008R2: KB4056897

Windows Server 2012: not expected

Windows Server 2012R2: KB4056898

Windows Server 2016: KB4056890