/** * This is the notes section. CVE documents should ONLY be created by employees of ClearCenter with the authority to make statements on behalf of the company. If you have content that would be useful to the statement, please contact ClearCenter. */
'Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.'
This exploit is commonly known as Spectre (Variant 2).
This bug affects certain hardware components and not software components. If your hardware is vulnerable to this class of exploits then you are vulnerable no matter the OS that is running and must apply software and, in some cases, firmware for your hardware to mitigate known vectors of the vulnerability.
Hardware that is vulnerable to this class of exploits need to have the latest kernel running in order to mitigate issues related to these exploits.
All ClearOS 7 systems that are set to get automatic updates will begin to receive patches to help mitigate the risks associated with Meltdown and Spectre. Please click on the URL below for instructions on how to determine the Kernel version of your system. https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_determining_your_running_kernel_version If your system report shows the version number or higher, your ClearOS system has received the needed patches for Meltdown and Spectre. You will need to run the following or later to have the patches that deal with Meltdown and Spectre:
ClearOS 7: 3.10.0-693.11.6.v7 or later ClearOS 6: 2.6.32-696.18.7.v6 or later (note, as of this writing, this build in currently building and this number may change) ClearOS 5 and ClarkConnect: These are End of Life products and should be reinstalled with a newer version of ClearOS. Contact ClearCenter sales for more information.
If your system does not have this kernel running, perform the following:
Because this patch makes significant changes to the kernel which cannot be updated in a dynamic way to the running kernel, you will need to schedule a system reboot during a maintenance window (or as soon as possible) for the patches to take full effect.
Because of the difficulty with upstream patch availability with ClearVM, users of ClearVM will be required to migrate to the newer version of ClearVM that will be releasing in the January/February timeframe. To ensure that this exploit cannot be executed on your ClearVM environment, please ensure that local access to the ClearVM node and any VMs running under ClearVM is isolated to trusted users. As an immediate workaround in critical environments or those that are exposed in ways in which this exploit can be implemented, users of ClearVM can migrate their virtual machines to ClearOS under KVM and libvirt for the time being. Users of ClearVM with support options from ClearCenter can get support with this path if immediate resolution is required before the general release of the next ClearVM platform.
The type 2 variant of these exploits may require updates to your firmware of ClearBOX. We are still in the process of analyzing whether ClearOS sufficiently covers the patching requirements all by itself or if there are specific hardware-related patches that are required. Please stay tuned, inquire in the forums, or contact ClearCenter if you have a qualifying and current support subscription with ClearCenter. Looking Forward: Intel and other hardware manufacturers are looking for ways to apply firmware updates that could also help mitigate risk, but ClearOS and other OS providers are working independently to help protect users of affected server, workstation, laptop, and tablet gear. It's important to know that Meltdown and Spectre are processor hardware-related bugs that can't be completely fixed by software patches. However, there are a number of ways software patches can minimize the risk associated with these exploits and ClearCenter is committed to doing everything we can to mitigate any potential damage from Meltdown and Spectre. We will continue to release additional patches in the future to further help reduce your exposure to Meltdown and Spectre.
Because of the nature of these vulnerabilities, the patch to address Meltdown include methods that segment memory pages. The result is that all patched systems with the Meltdown vulnerability may see a decrease in performance. This issue impacts many platforms including all versions of Linux, MacOSX, and Windows. We expect ClearOS systems to see a 5% to 20%+ decrease in speeds related to operations dealing in non-user space of memory. Our advice is to let the automatic patches update your system and take the performance hit. However If you are willing to take some risk, it is possible to bypass the system patches and not take the performance hit. To read more about tuning the variables that disable the security fix and re-enable the perform capabilities which are exploitable, click here to visit the Redhat notes related to the patch they produced which was adopted in ClearOS.
If you have an included support package with ClearCenter and your system is negatively impacted by the fix, feel free to open a ticket related to your specific performance issue.
Ensure that you are running the latest ClearOS version by running:
yum -y update && reboot
Update to the newest version of ClearVM. RELEASE TBD as of the writing of this article. Expected Jan/Feb 2018