Spectre meltdown kernel update

Kernel Update required for "Spectre/Meltdown" issue ¶


NAME	Meltdown and Spectre Hardware Issues
Description	Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
Related CVE(s)	CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
NVD Severity	medium (attack range: local)
Document Last Updated	January 07,2018

All unpatched versions of linux are vulnerable when running on affected hardware, across all platforms (AWS, GCE, etc)
Patches are included in Linux 4.4.110 for 4.4, 4.9.75 for 4.9, 4.14.12 for 4.14.
kOps can run an image of your choice, so we can only provide detailed advice for the default image.
By default, kOps runs an image that includes the 4.4 kernel. An updated image is available with the patched version (4.4.110). Users running the default image are strongly encouraged to upgrade.
If running another image please see your distro for updated images.

Three CVEs have been made public, representing different ways to exploit the same underlying speculative-execution hardware issue:

The kernel updates that are the subject of this advisory are primarily intended to mitigate CVE-2017-5753 and CVE-2017-5754.

If you do not see "Kernel/User page tables isolation: enabled" in dmesg, you are vulnerable.

dmesg -H | grep 'page tables isolation'
      [  +0.000000] Kernel/User page tables isolation: enabled

Patches were released for the linux kernel 2018-01-05. All images prior to this date likely need updates.
The kubernetes/kops maintained AMI is the maintained component that is vulnerable, although this likely affects all users.

For the kops-maintained AMIs, the following AMIs contain an updated kernel:

These are the images that are maintained by the kubernetes/kops project; please refer to other vendors for the appropriate AMI version.

For all examples please replace $CLUSTER with the appropriate kOps cluster name.

kops get ig --name $CLUSTER

Update the instance group with the appropriate image version via a kops edit command or kops replace -f mycluster.yaml.

Perform a dry-run update, verifying that all instance groups are updated.

kops update cluster --name $CLUSTER

Update the cluster configuration, so that new instances will start with the updated image.

kops update cluster --name $CLUSTER --yes

Perform a dry-run rolling-update, to verify that all instance groups will be rolled.

kops rolling-update cluster --name $CLUSTER

Performing a rolling-update of the cluster ensures that all old instances and replaced with new instances, running the updated image.

kops rolling-update cluster --name $CLUSTER --yes

https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://coreos.com/blog/container-linux-meltdown-patch
https://spectreattack.com/
https://xenbits.xen.org/xsa/advisory-254.html
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
Paper: https://spectreattack.com/spectre.pdf
https://01.org/security/advisories/intel-oss-10002
https://meltdownattack.com/
http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html
Paper: https://meltdownattack.com/meltdown.pdf
https://01.org/security/advisories/intel-oss-10003