0

As you know Red Hat published a script to check the vulnerability of the system to Spectre and Meltdown. Kernel upgrade and activation/deactivation of some features is enough for avoid from these vulnerabilities. But there is something in the result of script that I didn't understand.

Output of Checker Script

You can see the output says the system vulnerability is yes for variant 1 in three rows below the CPU information. And then, after this section, the output says system vulnerability is no for variant 1. Is there something that I miss? I check the "STATUS: " parts only. Is this enough to avoid from this vulnerabilities?

Community
  • 1
Jo Shepherd
  • 785
  • 5
  • 20
  • 37
  • Yes maybe like that. But i couldn't find any solution to fix these problems. Is there something that I must do? Server is vm and the ESXi is not vulnerable to Spectre and Meltdown. – Jo Shepherd Apr 17 '18 at 09:01
  • What problems? You have kernel fixes in place. You are vulnerable to Spectre variant 2. Which makes sense because that requires a microcode to fix, either one applied permanently or one applied every time the machine boots into the OS. – Ramhound Apr 17 '18 at 11:15
  • Thanks @Ramhound . I think so I cannot anything after update. – Jo Shepherd Apr 17 '18 at 11:33
  • @Gefolge What? Your last comment is extremely confusing. Hate to break it to you but ESXi is indeed vulnerable to these vulnerabilities. Just like any OS is vulnerable. VMWare released patches though, and firmware, check the appropriate documentation for more information. Source: Extensive research into the subject and experience with VMWare. – Ramhound Apr 17 '18 at 11:39
  • @Ramhound We fixed the vulnerability of ESXi server to the second variant of Spectre. I know the vulnerability is about the CPU so all of OSes are in dangerous but our ESXi has been fixed and RHEL patches of this VM has been updated. Oracle VMs are green for all vulnerability after only "yum update" but Red Hat cannot be "not vulnerable" to Spectre II. As I understand, there is no something fix this vulnerability for Red Hat. – Jo Shepherd Apr 17 '18 at 11:56
  • "As I understand, there is no something fix this vulnerability for Red Hat." - What? If you patched the hypervisor then it's possible the problem is the script itself. It was designed to detect the new CPU instruction on a physical machine, I would contact Redhat, or issue a bug report if you believe it to be a false positive. – Ramhound Apr 17 '18 at 11:59
  • Status of vulnerability to Spectre Variant I is OK Status of vulnerability to Spectre Variant II is NOT OK Status of vulnerability to Meltdown is OK I updated the servers (Oracle and RedHat) with "yum update". Oracle is OK to all vulnerability and there is no problem. But Red Hat is not. I think so the only thing I can do create a ticket to Red Hat for this issue. Thanks again. Sorry my English. – Jo Shepherd Apr 17 '18 at 12:04

1 Answers1

0

The script is telling you that originally your CPU was vulnerable to all three exploits, however, for variant 1 your /sys interface is confirming (and double confirmed by the kernel) that you are mitigated against this attack.

For variant 2 I cannot remember exactly what was required to fix it, but it certainly required d/l some microcode from your chip vendor. But I'm almost sure for VM running ESXI nothing is required.

(source: redhat employee)

CaldeiraG
  • 2,536
  • 7
  • 18
  • 33
Sean Davey
  • 494
  • 4
  • 11