we posted the other day from Reuters, two major CPU vulnerabilities were discovered recently that pretty much affects every electronic system with a processor in it. These vulnerabilities are called Meltdown and Spectre.
The unfortunate problem here is that it's actually a hardware and a manufacturing issue. Since it's not practical to replace every CPU in the world in every piece of hardware going back to 1995, bandaging the problem is now the job of operating system companies. Ubuntu Linux is no different.
In a recent Ubuntu Insights post, Dustin Kirkland from Ubuntu/Canonical said the following about Ubuntu's plans to patch on January 9th:
Canonical engineers have been working on this since we were made aware under the embargoed disclosure (November 2017) and have worked through the Christmas and New Years holidays, testing and integrating an incredibly complex patch set into a broad set of Ubuntu kernels and CPU architectures.
Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible. Updates will be available for:
- Ubuntu 17.10 (Artful) — Linux 4.13 HWE
- Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
- Ubuntu 14.04 LTS (Trusty) — Linux 3.13
- Ubuntu 12.04 ESM** (Precise) — Linux 3.2
Ubuntu 18.04 LTS (Bionic) will release in April of 2018, and will ship a 4.15 kernel, which includes the KPTI patchset as integrated upstream.
- Note that an Ubuntu Advantage license is required for the 12.04 ESM kernel update, as Ubuntu 12.04 LTS is past its end-of-life
Ubuntu optimized kernels for the Amazon, Google, and Microsoft public clouds are also covered by these updates, as well as the rest of Canonical’s Certified Public Clouds including Oracle, OVH, Rackspace, IBM Cloud, Joyent, and Dimension Data.Another thing to note about this patch, as mentioned in the Inisghts Post, is that these kernel fixes that they will be releasing are not Livepatch-able. Long story short, these updates will require a reboot, so you should expect and plan for some downtime after applying the patches.
Some software vendors are reporting performance related issues to their patches. Kirkland said that Ubuntu does not currently have performance analysis information at this time for the Ubuntu patches.
Are you and your company preparing for the Meltdoan and Spectre vulnerabilities? Let us know about the sorts of things you are looking into, and want to know more about in the comments!