User login
Qlustar: Install and enjoy!

[QSA-0228181] Linux kernel vulnerability

Qlustar Security Advisory 0228181

February 28th, 2018


Summary:

The system could crash or be made to run programs as an administrator. This update includes mitigations for the dangerous Spectre v1/2 vulnerabilities. You're urged to upgrade your systems as soon as possible.

In case you're absolutely sure that your environment is safe enough to be run without the mitigations for Meltdown and Spectre (e.g. for compute nodes in an HPC cluster), you can disable them with kernel parameters. To disable Meltdown mitigation use:

nopti

For Spectre variant 2:

spectre_v2=off

This prevents the performance penalty introduced by the mitigations. Within QluMan, it's easy to add additional kernel parameters to the boot config of a group of cluster nodes.


    Package(s)       : linux-image-ql-generic,
                       qlustar-module-core-trusty-amd64-9.2.0
    Qlustar releases : 9.2
    Affected versions: All versions prior to this update
    Vulnerability    : privilege escalation/denial of service
    Problem type     : local
    Qlustar-specific : no
    CVE Id(s)        : CVE-2017-5753, CVE-2017-5715
  

A vulnerability has been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem(s):

CVE-2017-5753

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated in the Linux kernel architecture by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function.

More use sites will be added over time.

CVE-2017-5715

Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system.

This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated in the Linux kernel for the Intel x86-64 architecture by using the retpoline compiler feature which allows indirect branches to be isolated from speculative execution.

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions (follow the Qlustar Update Instructions):

    linux-image-ql-generic                     4.9.83-ql-generic-10.0-11
    qlustar-module-core-trusty-amd64-9.2.0     9.2.0.4-b479f1128
  
glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587p08