Are your windows machines up-to-date? Maybe you are missing a patch?
https://support.microsoft.com/en-us...your-windows-devices-against-spectre-meltdown
The Intel microcode update has been withdrawn because of bugs, so basically nobody can be reliably protected against Spectre today.
In the meanwhile, Linus explained how its use was crappy, and Google is developing retpoline to mitigate Spectre instead of relying to new x86 instructions.
So about Spectre, the situation is very confuse for now...
Can we actually deploy the intel-microcode package on Proxmox 5 without any issue ?
For the moment I don't have install this one, but we need it for spectre...
Yeah but I rent my server with OVH, it's not "my" server.
Second... Well, my understanding is, that for LXC containers it is even more problematic to not fix the problem as they share the hosts kernel afaik. So if the host is vulnerable to Meltdown and Spectre attacks, so will be your LXC containers. Due to the nature of sharing the same kernel with the host, LXC containers are all but isolated.
Dear Proxmox Staff Members,
Do you verify speedbird's reply?
Does privileged LXC containers can dump whole proxmox server memory?
Regards
We just published new kernels for Proxmox VE 4.x and 5.x, addressing Meltdown and Spectre in the kernel.
Please upgrade your Proxmox VE hosts via "apt update && apt dist-upgrade".
Proxmox VE 5.x: pve-kernel (4.13.13-34)
-- Proxmox Support Team <support@proxmox.com> Sun, 7 Jan 2018 13:19:58 +0100
- cherry-pick / backport of KPTI / Meltdown fixes (from Ubuntu-4.13.0-23.25)
- add Google Spectre PoC fix for KVM
- fix objtool build regression
Proxmox VE 4.x: pve-kernel (4.4.98-102)
-- Proxmox Support Team <support@proxmox.com> Sun, 7 Jan 2018 13:15:19 +0100
- cherry-pick / backport of KPTI / Meltdown fix (based on Ubuntu-4.4.0-107.130)
- add Google Spectre PoC fix for KVM
__________________
Best regards,
Martin Maurer
Proxmox VE project leader
...
Can someone suggest when patches for CVE-2017-5753[4] will be in proxmox kernel
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES
> STATUS: NOT VULNERABLE (117 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
Yes 105 already patched against CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
and not patched CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
View attachment 6782
So can anyone suggest when planning implement patch for CVE-2017-5715
if a system is vulnerable to Meltdown, any user space process can dump the whole memory unless the kernel the process is running under has mitigations in place. this includes processes running in containers/namespaces, as they share a kernel with the host. KVM accelerated VMs are not vulnerable to Meltdown across the VM-hypervisor barrier, so you cannot dump the whole host memory from a process in a VM - Meltdown still affects the guest kernel though, so you can dump the whole guest memory from an unprivileged guest process in a VM.
I have installed the latest OpenVZ kernel on several of our remaining Proxmox 3.x hosts using the .deb packages they provide. If you're using ZFS, you'll also need to add those modules to the new kernel. I have made .debs for ZFS 0.7.5 under Proxmox 3.x that you're welcome to (PM me), if you're willing to trust a complete stranger. If you're not using ZFS, the kernel alone is probably all you need.Hello Martin
I am wondering if there is any possibility of a fix for the kernel on version 3.4 ?
I have around 20 odd 3.4 machines which are rather difficult to move across due to the number of openvz containers!
Rob