Q: How to fix vulnerability?
1) Microcode update is required
To address CVE-2017-5715, also known as Spectre variant 2, it is needed to install new microcode on the hardware nodes. Some microcodes are shipped with the `microcode_ctl` package, some are not. This article helps to understand whether it is needed to download and install new microcode.
2) Install Virtuozzo update
|Virtuozzo 7||Published||Important kernel security update|
Then stop and start virtual machines from the server side (please do not reboot VMs from inside the guest). It will recreate qemu process, and the virtual machine will use a new processor supporting all the necessary mitigation features.
|Virtuozzo 6 - Containers||Published||Important kernel security update|
|Virtuozzo 6 - VMs||Published||Important product update|
|Virtuozzo 4.7||Published||Important kernel security update|
|Virtuozzo Windows 6||Published||VZU600055|
|Virtuozzo Windows 4.6||Published||VZU460130|
|OpenVZ||Published||kernel rhel6 042stab129.1|
Q: What is the source of the vulnerability?
A: An Intel hardware design flaw that affects all of the latest Intel x86-64 chipsets. Unfortunately there is no fix on a microcode level, so the fix will be implemented in particular operating systems. MITRE CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754. Here is the detailed description of vulnerabilities https://spectreattack.com/
Q: What operating systems are affected?
A: All operating systems are affected, the whole Linux family, Windows and MacOS.
Q: What is Virtuozzo doing to address the performance issues?
A: Virtuozzo is dedicated to providing constant improvements for our partners and will continue to strive to maximize efficiency and performance. Our first priority was to solve the security concerns, but our effort will not stop there. We will continue to keep you informed of performance testing, as it becomes available.
Q: Some articles report performance penalties due to the fix, will it impact Virtuozzo platform?
A: Yes, it is expected to have an impact, KPTI comes with a measurable run-time cost. However the numbers are quite broad, LWN estimates it at about 5%. Here is the LWN article: “Most workloads that we have run show single-digit regressions. 5% is a good round number for what is typical. The worst we have seen is a roughly 30% regression on a loopback networking test that did a ton of syscalls and context switches.” That is a cost that some users may not want to pay, especially once they get newer processors that lack these problems. There will be a nopti command-line option to disable this mechanism at boot time. Virtuozzo will provide performance tests results for specific versions, at this point there is no reliable data available.
Q: How should I plan for the update?
A: This fix will require a server reboot. Please plan maintenance windows and notify customers about upcoming maintenance.
Please subscribe for Virtuozzo security updates here to get notifications about updates.