As you may be aware, a number of serious vulnerabilities have been disclosed that affect a wide set of CPU architectures. These vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) were disclosed this week by Google's Project Zero team and other information security professionals. A rapid response strategy is currently in review for emergency maintenance to patch these vulnerabilities, which will require a reboot of all shared, dedicated and cluster systems.

The vulnerabilities, known as side-channel speculative execution or Meltdown and Spectre, have the potential to allow code to execute on a CPU and access regions of memory that should otherwise be protected from access. This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD and ARM across servers, desktops and mobile devices.

Given the seriousness of this set of vulnerabilities, a rapid response is required to ensure our customers are protected. To be clear, there are currently no known exploits circulating that take advantage of these vulnerabilities. However, since details and code fixes are now publicly available, it is only a matter of time before attacks develop around these vulnerabilities.

Impact
The immediate security impact to our customers is negligible but has the potential to change. There are currently no known exploits in the wild that are taking advantage of these vulnerabilities. With a rapid patching schedule, it is our goal to ensure customers are protected before any exploits are made available.

The immediately available patches have been in the works for 3 months by various groups and vendors such as Linux Kernel developers, Microsoft, Intel, Google and Amazon. These patches represent the best mitigation techniques, known as Kernel Page Table Isolation (KPTI), to ensure code can not execute to access protected regions of memory.

There have been reports that KPTI patches will impose a performance penalty, as much as 30%+. These reports, while not entirely untrue, are very workload specific and are not representative of a blanket performance drop. In our own testing, as well as testing by other organizations, the day-to-day performance impact is expected to be negligible, at or around 5%.

The KPTI patches are not expected to impact page load times, database operations or execution of other tasks on our shared, dedicated or clustered platforms. The cases in which more tangible performance impacts can be seen, upwards of 5%, are on systems that are resource bound (overloaded) and already running at capacity.

In order to patch the systems we will need to reboot the servers. All dedicated servers will be patched and rebooted this weekend.

The patching procedure that will be executed on a per-system basis, generally, will be as follows:
NOTE: before applying the patch, we strongly recommend you verify your backups to insure you have a copy of your data.
Apply appropriate kernel updates and any dependent packages. No other software will be updated as part of this maintenance.
Validate that the kernel update applied successfully.
Perform a graceful reboot of the system.
Once the system is back online, ensure all services are operating as intended and web sites are loading.

This process is expected to result in as much as 15 minutes of downtime, per system. However, the average is likely to be less than this. During this downtime, all web sites and services hosted on a system scheduled for maintenance will be inaccessible.

Clients that have the standard management or have an unmanaged system will need to contact us to schedule a time to apply the patch if assistance is needed.

Update Schedule - VPS Systems
We plan on patching our VPS systems as soon as Virtuozzo (formally Parallels) pushes out a stable release. Once the release is pushed out, we will e-mail an updated patch schedule to all VPS clients with information on when their systems will be patched.

We appreciate your understanding and patience as we complete this process.

References:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://meltdownattack.com/
https://lwn.net/Articles/738975/
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html



samedi, janvier 6, 2018

« Retour

Powered by WHMCompleteSolution