Major Intel CPU vulnerability
-
In a cloud hosting scenario, VPS...
If the host is patched, and guest1 VM is patched, but guest2 VM is not patched... are there still meltdown or spectre vulnerabilities for guest1?
How exactly does this work?
-
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
-
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
-
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
While these are some pretty nasty vulnerabilities, I don't currently consider them that horrible. As I understand it (and I leave TONS of room to learn new things about these) you can only be affected if you run untrusted code on your system. Assuming that webpages can't take advantage, this amounts to the same level of issue as a typical virus.
Assuming hardware vendors don't produce updates for hardware more than say 3 years old - how many here are going to be replacing their machines/devices (don't forget your android phones are affected too - last I heard)?
-
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
-
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
While these are some pretty nasty vulnerabilities, I don't currently consider them that horrible. As I understand it (and I leave TONS of room to learn new things about these) you can only be affected if you run untrusted code on your system. Assuming that webpages can't take advantage, this amounts to the same level of issue as a typical virus.
Assuming hardware vendors don't produce updates for hardware more than say 3 years old - how many here are going to be replacing their machines/devices (don't forget your android phones are affected too - last I heard)?
In a desktop or laptop case, the risk is tiny compared to the big fear of shared computing environments.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
-
@dashrender said in Major Intel CPU vulnerability:
... (don't forget your android phones are affected too - last I heard)?
The risk is not based on OS, so can't be determined by something like "Android phone." Some Androids are affected, some are not.
-
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
-
I want to know how this effects hosts... does just the host need patched, or every VM?
-
@tim_g said in Major Intel CPU vulnerability:
I want to know how this effects hosts... does just the host need patched, or every VM?
Every VM.
-
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
That handles the one issue, not the other.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
That handles the one issue, not the other.
The "other" being the chip design flaw itself?
-
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
That handles the one issue, not the other.
The "other" being the chip design flaw itself?
Right, the flaw is a literal bug and affects Intel. The broader (but less dangerous) issue is that certain types of processor tasks, mixed together, without being addressed by the OS, create a risk in memory.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
That handles the one issue, not the other.
The "other" being the chip design flaw itself?
Right, the flaw is a literal bug and affects Intel. The broader (but less dangerous) issue is that certain types of processor tasks, mixed together, without being addressed by the OS, create a risk in memory.
So the true 100% fix is really going to be hardware replacement, unless it can be address by some kind of lower-level flash update of the hardware.
-
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
That handles the one issue, not the other.
The "other" being the chip design flaw itself?
Right, the flaw is a literal bug and affects Intel. The broader (but less dangerous) issue is that certain types of processor tasks, mixed together, without being addressed by the OS, create a risk in memory.
So the true 100% fix is really going to be hardware replacement, unless it can be address by some kind of lower-level flash update of the hardware.
Intel is providing microcode updates to the hardware.
But no question, we should all be questioning the use of Intel hardware in the future. We've always excused their FakeRAID stuff as a one-off misunderstanding of business customers; but this has shown that the same disregard for their customers and lack of proper thinking is much more broad and not limited to that one division.
-
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
That handles the one issue, not the other.
The "other" being the chip design flaw itself?
Right, the flaw is a literal bug and affects Intel. The broader (but less dangerous) issue is that certain types of processor tasks, mixed together, without being addressed by the OS, create a risk in memory.
So the true 100% fix is really going to be hardware replacement, unless it can be address by some kind of lower-level flash update of the hardware.
Hardware replacement fixes Meltdown, but not Spectre, as the latter is an issue on almost all systems.
-
@scottalanmiller said in Major Intel CPU vulnerability:
Intel is providing microcode updates to the hardware.
And I imagine the way to get it is from your computer's manufacturer, which for your ancient workstations, there probably won't be an update released.
Right now, I'm trying to see if SuperMicro has any kind of update I can apply to our production servers.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
@dashrender said in Major Intel CPU vulnerability:
@eddiejennings said in Major Intel CPU vulnerability:
In addition to OS patches, I assume we ought to be looking for BIOS updates as well, which, with many of our ancient desktops, there will probably be none.
I don't expect any for my 3 year old laptops, let alone my 5-7 year old desktops.
The question then is whether or not the OS patching will be sufficient.
Depends if it is Intel based or from a more security-minded vendor.
All Dell and all Intel.
Then an OS patch cannot fix it.
While I understand the problem itself is with the chip, aren't the OS patches being released supposed to alter how memory is handled, which doesn't fix, but rather mitigates the problem (and potentially lowers performance)?
That handles the one issue, not the other.
The "other" being the chip design flaw itself?
Right, the flaw is a literal bug and affects Intel. The broader (but less dangerous) issue is that certain types of processor tasks, mixed together, without being addressed by the OS, create a risk in memory.
So the true 100% fix is really going to be hardware replacement, unless it can be address by some kind of lower-level flash update of the hardware.
Intel is providing microcode updates to the hardware.
But no question, we should all be questioning the use of Intel hardware in the future. We've always excused their FakeRAID stuff as a one-off misunderstanding of business customers; but this has shown that the same disregard for their customers and lack of proper thinking is much more broad and not limited to that one division.
But isn't majority of vendors who sells servers only sell Intel based servers?
