List of CVEs
Intel Software Guard Extensions aspects
Operating Systems and System Management Mode aspects
Server Bare Metal 5.0
Containers for Windows 6.0
Containers for Windows 4.6
CVE-2018-3615: Virtuozzo products are not affected by this vulnerability since they do not use Intel SGX.
CVE-2018-3620: To be resolved by the kernel update on the host server.
CVE-2018-3646: To be resolved by the kernel update on the host server and in virtual machines. Additionally, consider disabling SMT after reading the information below.
- Virtuozzo server is running containers only, no virtual machines
- Install the kernel update on the host server
- Virtuozzo server is running trusted virtual machines
- Install the kernel update on the host server and update the guest systems
- Virtuozzo server is running untrusted virtual machines
- Along with the host and guests’ updates, it might be necessary to disable simultaneous multithreading (Hyper-threading) completely. This mitigation is not enabled by default due to significant performance impact.
Simultaneous Multithreading (SMT) Discussion
SMT (Hyper-threading in terms of Intel) technology improves system performance by utilizing two logical processors on each physical core. The L1TF attack allows a malicious virtual machine guest, running on one thread, to access data brought to the L1 CPU cache by another thread.
In case one still wants to disable SMT, there are two ways to do it:
- disable SMT (Hyper-threading, HT) in system BIOS, or
- Pass the ‘nosmt’ flag as a kernel boot parameter in the GRUB configuration file.
To help our customers to choose the mitigation strategy, we are providing the benchmark results based on testing we recently conducted. Benchmarking revealed that L1TF fix has no performance impact on containers virtualization. Bechmarking of virtual machines has revealed 10-15% performance drop due to combined host and guest protection and additional 15% performance degradation with SMT disabled.
Virtuozzo ran the standard vConsolidate1 test to assess performance impact.
Red line #1: Virtuozzo 7 Update 8 prior to L1TF fix, CentOS 7.5 2SMP 2Gb CT
Grey line #2: Virtuozzo 7 Update 8 Hotfix 1 with L1TF fix, CentOS 7.5 2SMP 2Gb CT
Red line #1: Virtuozzo 7 Update 8 prior to L1TF fix, Windows 2012R2 2SMP 2Gb VM
Green line #2: Virtuozzo 7 Update 8 Hotfix 1 with L1TF fix, Windows 2012R2 2SMP 2Gb VM, guest without L1TF fix
Yellow line #3: Virtuozzo 7 Update 8 Hotfix 1 with L1TF fix, Windows 2012R2 2SMP 2Gb VM, guest with L1TF fix
Blue line #4: Virtuozzo 7 Update 8 Hotfix 1 with L1TF fix and with SMT disabled, Windows 2012R2 2SMP 2Gb VM, guest with L1TF fix
1: vConsolidate test is a performance benchmark; it deploys one or more groups of virtual appliances, which run certain applications working together as a single group (called Consolidation Stack Unit (CSU)). Each server in the group generates output results, such as transactions per second, and the aggregated result is used to compare different virtualization solutions. By increasing the number of CSUs, it is possible to compare how different virtualization solutions behave, which produce more transactions on the same hardware with the same number of CSUs, and which are able to run more tiles effectively (before overall system performance begins to decrease).
15.08.2018: Initial publication.
20.08.2018: Added the advisory links for Virtuozzo 6, Virtuozzo 4.7, and Server Bare Metal 5.0.
30.08.2018: Added the advisory link for Virtuozzo 7.
31.08.2018: Added the benchmark results.
06.09.2018: Added the advisory links for Vitruozzo containers for Windows.