Adding cve updates for spectre and meltdown

[chrislovecnm]

No description provided.

[chrislovecnm]

/area security

[chrislovecnm]

@KashifSaadat what is the coreos version that you are updating to?

[KashifSaadat]

Hey @chrislovecnm, the latest stable release which includes the related security fixes: https://coreos.com/releases/#1576.5.0

[chrislovecnm]

@KashifSaadat should we add an update about how to bump cores with kops?? I think Debian, CoreOS, and Ubuntu are the most used distros.

[KashifSaadat]

Sure. The update process would actually be the same as what you have documented in this PR, maybe include a note to say it also applies for CoreOS and Ubuntu?

[chrislovecnm]

We maybe should have the ami names??

[justinsb]

Not really sure what we're saying here - maybe separate out the two spectre CVEs until there's some action we're recommending?

[chrislovecnm]

HUH? There are three CVE's open, all listed by NVD.

[justinsb]

But what are we recommending for the other two? I don't see why we're adding those two CVEs

[chrislovecnm]

Added a README.md so we can have the best of both worlds :)

[justinsb]

Let's reorder:

• All platforms are affected, not just AWS
• kops can run an image of your choice
• Linux kernel versions needed: 4.4: >= 4.4.110, ...
• By default, kops runs an image that includes the 4.4 kernel. An updated image is available with 4.4.110
• If running another image please update to a fixed image, which must be provided by your distro
• After update you will have to do an update & rolling-update.

[justinsb]

Or maybe we swap kops can run with linux kernel versions needed... :-)

[justinsb]

Add how to know:

  dmesg -H | grep 'page tables isolation'
    [  +0.000000] Kernel/User page tables isolation: enabled

If you don't see "Kernel/User page tables isolation: enabled", you are vulnerable.

[justinsb]

Let's just say all AMIs without the newer kernel are vulnerable. Likely all kernels built prior to 2018-01-03 are vulnerable.

[justinsb]

👍

[justinsb]

We switched from #### to inline here.

Maybe do this for each:

### Dry-run update
Perform dry-run update, verifying that all instance groups are updated:
`kops update $CLUSTER` 

i.e. repeat, but keep headline short.

[justinsb]

kops upgrade cluster soon :-)

[chrislovecnm]

won't that upgrade k8s as well??

[justinsb]

Let's not actively recommend the coreos update - there's a non-obvious kernel change (4.13 -> 4.14). If we want to, we can link to the CoreOS update docs instead https://coreos.com/blog/container-linux-meltdown-patch

[chrislovecnm]

/assign @justinsb

[justinsb]

What does this date mean?

[chrislovecnm]

Should be Jan 7 ... opps. The last date this document was updated.

[justinsb]

Can I suggest we cut this paragraph, and replace with:

* All unpatched versions of linux are vulnerable when running on affected hardware, across all platforms (AWS, GCE, etc)
* Patches are included in Linux 4.4.110 for 4.4, 4.9.75 for 4.9, 4.14.12 for 4.14.
* kops can run an image of your choice, so we can only provide detailed advice for the default image.
* By default, kops runs an image that includes the 4.4 kernel. An updated image is available with the patched version (4.4.110).  Users running the default image are strongly encouraged to upgrade.
* If running another image please see your distro for upgraded images.
* After updating the image, you will have to do an update & rolling-update.

[chrislovecnm]

np ... I do not like the last sentence, as I want them to read the actual instructions. But will add.

[justinsb]

That's fair, though the instructions are still pretty vague here :-)

[justinsb]

Should this list match up with the list as before?

(i.e. why is 5715 here but not in the headline)

[chrislovecnm]

Three CVEs have been released with spectre and meltdown.

5715 is not fixed.

[justinsb]

OK, but what is the purpose of the list at the top then? Do we believe that 5753 is fixed?

[justinsb]

That seems a bold statement.

[chrislovecnm]

I can say in the negative. Variant 2 is not addressed in this advisory?

[justinsb]

I'd just go for clarity and honesty Maybe "This is a new and wide-ranging vulnerability, and there will probably be more updates over the coming months. The CVEs are differentiated by the means by which they exploit the same underlying vulnerability, and it is likely that more attack vectors will be found. This kernel update primarily aims to address CVE-2017-5754."

[justinsb]

"For the kops-maintained AMIs, the following AMIs contain an updated kernel:"

[justinsb]

Random upper case W

[justinsb]

Maybe group by year, at least

Also sort in reverse order?

[justinsb]

One line per vuln methinks, no matter how many names they give it. Should make life easier for our users:

- [Meltdown and Spectre](meltdown-spectre.md) CVE-2017-5753, CVE-2017-5754, CVE-2017-5715

[chrislovecnm]

I would rather list each cve individually. More readable to me 🤷‍♂️

[justinsb]

But for our users, they'll have to click through all 3 to see that they're one and the same.

Also, when we have another patch for the same CVE, what do we do then?

[justinsb]

Putting myself in our user's shoes, I would want this closer to the top. I want to figure out if I am vulnerable before I decide to patch.

[justinsb]

How about:

"All linux kernels were vulnerable when running on affected hardware. Fixed in 4.4.110 for 4.4, 4.9.75 for 4.9, 4.14.12 for 4.14."

And replace this whole list (we're going to move it above)

[justinsb]

👍

[justinsb]

/lgtm

We're going to merge and I'm going to send a PR with my tweaks

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS [justinsb]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[AlexLast]

Should this be here twice?