Hi Team
please share your suggestions about this.
I tired an online tool to check the vulnerability of spectre and meltdown, this is after upgrading 4.4.111-1 kernel version in centos 7. But its still showing in vulnerable state, im running this script in AWS instance. Please advice me.
Script :?https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
Output :?
Spectre and Meltdown mitigation detection tool v0.24
Checking for vulnerabilities against live running kernel Linux 4.4.111-1.el7.elrepo.x86_64 #1 SMP Wed Jan 10 13:12:02 EST 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:? NO? (only 35 opcodes found, should be >= 70)
> STATUS:? VULNERABLE? (heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*? ?Hardware (CPU microcode) support for mitigation:? YES
*? ?Kernel support for IBRS:? NO
*? ?IBRS enabled for Kernel space:? NO
*? ?IBRS enabled for User space:? NO
* Mitigation 2
*? ?Kernel compiled with retpoline option:? NO
*? ?Kernel compiled with a retpoline-aware compiler:? NO
> STATUS:? VULNERABLE? (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):? YES
* PTI enabled and active:? YES
> STATUS:? NOT VULNERABLE? (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
--
Thanks
Mohammed Azfar
you are running a RedHat kernel, you will have to ask them about what they have
included in it.
k
On Mon, 15 Jan 2018 13:17:17 -0800, David Lang wrote:
> you are running a RedHat kernel, you will have to ask them about what they have
> included in it.
> k
I see that he OP is running kernel 4.4.111 as provided by ELRepo
( http://elrepo.org/tiki/kernel-ml ).
Mohammed, try updating the microcode by downloading the latest file
from Intel. That should take care of the issue.
Akemi
the 4.4.112 patches that Greg just posted include a bunch of work for these
vulnerabilities.
Who knows what has been backported to the kernel he is running.
k
On Mon, Jan 15, 2018 at 4:50 PM, David Lang <[email protected]> wrote:
> the 4.4.112 patches that Greg just posted include a bunch of work for these
> vulnerabilities.
>
> Who knows what has been backported to the kernel he is running.
> k
In RHEL (therefore CentOS), microcode comes from the microcode_ctl
package which is currently at 2.1-22.2.el7. If you get the latest from
Intel ( https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File
), that will update the microcode on your system to "date =
2017-11-20". As far as I can see, that changes the test result of
'Spectre Variant 2' from vuln to Not vuln.
Akemi