Menu

React, etc. Tech Stack

React, Flux, GraphQL, Hack, HHVM...? All of this and more!

Linux Kernel 4.15 patches Meltdown and Spectre v2

An update to the Linux Kernel has been released. A week later than scheduled, the release 4.15 brings mitigations to the Meltdown and Spectre vulnerabilities.

In a twist of Irony the latest version of the Linux shipped the same weekend that Microsoft rolled back it's Windows Spectre patch citing issues with stability and memory corruption.

The two vulnerabilities have yet to come with large scale exploits, but with Linux being the most common Operating System in for server farms it is important. Linux is now running everything from Google to Facebook to IaaS providers like AWS and GCS down to PaaS offerings like Platform.sh and Heroku.

In addition to Linux in the server room, the kernel is also running on billions of mobile devices and desktop environments. Here the update to the latest version will mitigate the vulnerabilities, potentially exploited from the browser using JavaScript. Browser vendors have separate fixes in place, so the kernel update might not be critical. users can check if they are at with the online Spectre vulnerability check.

Meltdown and Spectre v2 handled, Spectre v1 still a risk

The Kernel is the core code in the operating system managing low level tasks. In the update both vulnerabilities are explicitly addressed. For Meltdown avoidance (Intel CPUs only) there is a feature called Page Table Isolation (PTI) that prevents exploiting Speculative Execution. Users can choose to turn it off with a special "pti=off" kernel boot option.

There are infact three instinct vulnerabilities identified, one Meltdown and two variations of Spectre. Spectre are known as v1 and v2. Kernel 4.15 does include a patch for Spectre variant 2 (v2), but for the v2 there is still work to be done.

For Spectre v2 the fix for both Intel and AMD processors, the fix comes in the form of a retpoline mechanism. It requires use of a compiler (GCC) that is compatible, so users will need to update accomplying fixes as well. As with the Meltdown fix, the Spectre fix can also be explicitly disabled at own risk.

So the Spectre v1 vulnerability is still at large, but difficult to exploit. Currently Windows Server machines have a working patch for v1, but not v2 - technically you could protect yourself by running the latest Kernel fix virtualized on the latest Windows Server release.

Written by Jorgé on Wednesday January 31, 2018

Permalink -

« Microsoft disables Windows Spectre fix in an update - Urql promises to simplify using GraphQL in React »