List of CVEs
CVE number | Name | Impact | Short description of the attacks |
CVE-2018-12126 | Microarchitectural Store Buffer Data Sampling (MSBDS) | Moderate | A side channel attack against CPU’s store buffers, also known as Fallout. |
CVE-2018-12127 | Microarchitectural Load Port Data Sampling (MLPDS) | Moderate | A side channel attack against CPU’s load ports. |
CVE-2018-12130 | Microarchitectural Fill Buffer Data Sampling (MFBDS) | Important | A side channel attack against CPU’s fill buffers, also known as RIDL or ZombieLoad. |
CVE-2019-11091 | Microarchitectural Data Sampling Uncacheable Memory (MDSUM) | Moderate | A side channel attack against CPU’s fill buffers. |
Advisory links
Platform | Status | Advisory link |
Virtuozzo Infrastructure Platform 2.5 | Released | |
Virtuozzo 7 | Released | |
Virtuozzo 6 - Containers | Released | |
Virtuozzo 6 - Virtual Machines | Released | |
Virtuozzo 4.7 | Released | |
Containers for Windows 6.0 | Released |
Mitigation
As soon as Virtuozzo updates are available, install the updates and reboot the server. Consider disabling Hyper-threading (see the discussion below).
Mitigation scenarios
Virtuozzo server is running containers only, no virtual machines
Install the update on the host server, reboot the server.
Virtuozzo server is running trusted virtual machines
Install the update on the host server and update the guest systems, reboot the server and guest virtual machines.
Virtuozzo server is running untrusted virtual machines
Along with the host and guests’ updates, it might be necessary to disable simultaneous multithreading (Hyper-threading) completely. This mitigation is not enabled by default due to significant performance impact.
SMT discussion
SMT (Hyper-threading in terms of Intel) technology improves system performance by utilizing two logical processors on each physical core. The MDS attacks allows a malicious virtual machine guest, running on one thread, to access data brought another thread.
The full mitigation of the vulnerability is not possible without disabling Hyper-threading. However, disabling the HT technology severely impacts the system performance. In case one still wants to disable SMT, there are two ways to do it:
Disable SMT (Hyper-threading, HT) in system BIOS, or
Pass the ‘nosmt’ flag as a kernel boot parameter in the GRUB configuration file.
Update history
14.05.2019: Initial publication.
16.05.2019: Added the advisory links for Virtuozzo 6 and Virtuozzo containers 4.7 kernel update.
17.05.2019: Added the advisory link for Virtuozzo containers for Windows.
18.05.2019: Added the advisory link for Virtuozzo 7.
20.05.2019: Added the advisory link for Virtuozzo 6 userspace update.
22.05.2019: Added the advisory link for Virtuozzo Infrastructure Platform.