fuckwit/kaiser/kpti

Quoting https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/

Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible. Updates will be available for:
Ubuntu 17.10 (Artful) — Linux 4.13 HWE
Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
Ubuntu 14.04 LTS (Trusty) — Linux 3.13

Ubuntu has also written a KB here; https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Seems like we will get the kernels to upstream ubuntu january 9th.
 
there are no final public patches for Meltdown for either kernel 4.4 or 4.13 yet. once there are, we will review and include them ASAP.

Meltdown, which looks to be far more easily exploitable than Spectre, should not be usable from within KVM-enabled VMs to read host kernel memory, but containers are affected. compare the Xen advisory stating that only PV guests are affected by Meltdown (which they call "SP3").

concrete details regarding Spectre are still a bit rare, but AFAICT there are no public general PoCs yet allowing escaping from KVM, and Google Project Zero only talks about "When running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian's distro kernel running on the host, can read host kernel memory". there will likely be a Qemu update that mitigates some of the Spectre attack vectors in combination with microcode updates, but again - there are no public details yet regarding this (yet).

This would suggest that we should update our Hypervisors asap, but any KVM guests (not containers) can be updated as and when, or am I reading this wrong?
c:)
 
This would suggest that we should update our Hypervisors asap, but any KVM guests (not containers) can be updated as and when, or am I reading this wrong?
c:)

I'd say it depends on what you're running on those KVM guests. Unpatched meltdown might mean that they can read VM guest RAM on the machine they're on, so if you're running several users or applications that might have vulnerabilities they might be exploited to run meltdown code and read the rest of RAM. So for example a KVM guest with shared hosting or containers/dockers could be an issue.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!