List of CVEs

Advisory links

Mitigation

As soon as Virtuozzo updates are available, install the updates and reboot the server. Consider disabling Hyper-threading (see the discussion below).

Mitigation scenarios

• Virtuozzo server is running containers only, no virtual machines

  • Install the update on the host server, reboot the server.

• Virtuozzo server is running trusted virtual machines

  • Install the update on the host server and update the guest systems, reboot the server and guest virtual machines.

• Virtuozzo server is running untrusted virtual machines

  • Along with the host and guests’ updates, it might be necessary to disable simultaneous multithreading (Hyper-threading) completely. This mitigation is not enabled by default due to significant performance impact.

SMT discussion

SMT (Hyper-threading in terms of Intel) technology improves system performance by utilizing two logical processors on each physical core. The MDS attacks allows a malicious virtual machine guest, running on one thread, to access data brought another thread.

The full mitigation of the vulnerability is not possible without disabling Hyper-threading. However, disabling the HT technology severely impacts the system performance. In case one still wants to disable SMT, there are two ways to do it:

• Disable SMT (Hyper-threading, HT) in system BIOS, or

• Pass the ‘nosmt’ flag as a kernel boot parameter in the GRUB configuration file.

Update history

14.05.2019: Initial publication.

16.05.2019: Added the advisory links for Virtuozzo 6 and Virtuozzo containers 4.7 kernel update.

17.05.2019: Added the advisory link for Virtuozzo containers for Windows.

18.05.2019: Added the advisory link for Virtuozzo 7.

20.05.2019: Added the advisory link for Virtuozzo 6 userspace update.

22.05.2019: Added the advisory link for Virtuozzo Infrastructure Platform.