This page lists all available security updates to fix the Spectre and Meltdown vulnerabilities, sorted by operating system of the Outscale machine images (OMIs) of your instances. For more information, see the official Meltdown attack documentation.

These updates are valid for all Regions of the Outscale Cloud, and included in all official Outscale machine images (OMIs) published after .


Our Support team is available to help you if necessary. For more information, see Technical Support.



In each procedure, we recommend to stop and start your instance instead of performing a soft-reboot ($> shutdown -r now). For more information, see Stopping and Starting Instances.


General Information About Vulnerability Patches

Operating System

Spectre - version 1

bounds check bypass

(CVE-2017-5753)

Spectre - version 2

branch target injection

(CVE-2017-5715)

Meltdown

rogue data cache load

(CVE-2017-5754)

Linux

Mitigation WAIT

Patch compilers and recompile software with LFENCE instruction to stop speculation.

Mitigation 1

  • Hardware (CPU microcode) support for mitigation: IN PROGRESS
  • Kernel support for IBRS: DONE
  • IBRS enabled for Kernel space: DONE

    echo 1 > /sys/kernel/debug/x86/ibbrs_enabled
  • IBRS enabled for User space: DONE

    echo 1 > /sys/kernel/debug/x86/ibpb_enabled

Mitigation 2

  • Kernel compiled with retpoline option: DONE
  • Kernel compiled with a retpoline-aware compiler: DONE

Patch compilers to avoid any indirect jump and use a static trampoline (aka retpoline) gcc have a pending patch to introduce this feature. But if you recompile the kernel with this, it will fix only the kernel itself. If the kernel is fixed, you will not be able to read kernel memory, but you will still be able to read other process memory. All software have to be recompiled with mitigation to be secured.

https://lkml.org/lkml/2018/1/3/780

https://googleprojectzero.blogspot.fr/2018/01/reading-privileged-memory-with-side.html

Resume

  • IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability

Mitigation DONE

Kernel patch to isolate kernel space and user space

Kernel supports Page Table Isolation (PTI): DONE
PTI enabled and active: DONE

cat /sys/kernel/debug/x86/pti_enabled
1
Windows

DONE

DONE

DONE


Available Patches per OMI Operating System

OMI Operating SystemOMI Update

Spectre - version 1

(CVE-2017-5753)

Spectre - version 2

(CVE-2017-5715)

Meltdown

(CVE-2017-5715)

Ubuntu 14.04 / Docker

WAIT


CentOS 6

WAIT

CentOS 7

DONE

IN PROGRESS

Debian 8 Jessie

WAIT

Microsoft Windows Server 2012 R2

DONE

Microsoft Windows Server 2016

DONE



Windows® is a registered mark of Microsoft Corporation in the United States and/or other countries.

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.

See Legal Mentions.