KernelCare Blog

KernelCare fixes Meltdown and Spectre without reboots!

KernelCare fixes Meltdown and Spectre without reboots!

KernelCare now live patches Meltdown and Spectre (spectre-v1) that exploit critical vulnerabilities in modern processors. The list of supported distributions is available below. Free trial supports updates too.

By now, you might have thought that the topic of Meltdown and Spectre vulnerabilities is taking a backstage in the news. Not so, as the impact and the solutions to resolve the issues seem to be the talk of the technical community still.

Manu talented engineers across OS vendors, cloud computing companies, and many other technology companies have worked around the clock to develop fixes, to test them, and to apply. Those fixes are designed to eradicate the issue that could cause a massive security breach, and eliminate performance slowdowns. The fixes are meant to prevent programs from peaking inside the kernel’s memory and the impact of which, especially in the hosting community, can be severe.

There are instances of proof of concept code available publicly that can exploit Meltdown and Specter vulnerabilities. It is suspected that hackers are weaponizing them. Not addressing these vulnerabilities, now that after 20 years they have been made public, is not really an option.

Many cloud providers and enterprises are looking to release fixes but the need for a reboot complicates the process as it brings down servers of all of their customers and business units. Not to mention the amount of internal resources and organizations needed for such operation is massive. Because of that, many companies have not yet updated their servers. All our customers have been challenged with this issue, and many have contacted us asking for a solution.

More than half-dozen of our kernel developers have been working diligently to come up with the KernelCare solution - patches that would fix the Meltdown and Spectre issues without customers needing to reboot servers. It proved to be a challenging task, but after working continuously on developing a solution, they finally did!

Our live patching technology, KernelCare, delivers uninterrupted security updates of the kernel -- without any interference or downtime for software running on the server. It fixes only the affected part, without actually rebooting or restarting the server. With these pinpointed updates, we can minimize the change and do it live. Launched over 3 years ago, now with over 100,000 servers running KernelCare, we are the only live patching vendor for the below-mentioned distributions delivering patches for Meltdown and Spectre (spectre-v1) vulnerabilities.

Meltdown and Spectre fixes require reboots. Not with KernelCare. If you don't have KernelCare, you can get the FREE TRIAL, and update all kernels, on an unlimited number of servers, without reboots now. 

. . .

Currently, we have launched Meltdown / Spectre patches for:

  • CentOS 7 and CentOS 7 Plus
  • RHEL 7
  • CloudLinux 7, hybrid
  • Proxmox VE3.10

Coming soon:

  • CentOS 6
  • RHEL 6
  • CloudLinux 6
  • Virtuozzo 6
  • Ubuntu
  • Debian
  • others

This blog post outlines timely updates

 

Topic: KernelCare Blog , Tags: #meltdown, #spectre, #CentOS, #rhel,

5356 people viewed this

Comments (19)

 
by Guest - Eric Caldwell / Tuesday, 06 February 2018 18:52

What blog page do we need to tune into for the CL6 KC patches?

What blog page do we need to tune into for the CL6 KC patches?
by Alexandre Parubochyi / Tuesday, 06 February 2018 19:30

Please follow https://cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux

Please follow https://cloudlinux.com/cloudlinux-os-blog/entry/intel-cpu-bug-kernelcare-and-cloudlinux
by Guest - Stéphan Schamp / Wednesday, 07 February 2018 09:54

Keep getting:


# kcarectl -u
Updates already downloaded
Unable to apply patch (/var/cache/kcare/4796c6a424d5f4abf9482d4e335a60d79a6de997/2/kpatch.bin 2 255 CloudLinux 3.10.0-714.10.2.lve1.4.77.el7.x86_64, default, , , False)



[ 37.366513] kpatch: can't apply kPTI patch to Xen PV domain
[ 37.366545] kpatch: initcall at ffffffffa042b610 failed...


# uname -r
3.10.0-714.10.2.lve1.4.77.el7.x86_64



Also keep getting mails of this:


Cron /usr/bin/kcarectl --auto-update --gradual-rollout=auto

Unable to apply patch (/var/cache/kcare/4796c6a424d5f4abf9482d4e335a60d79a6de997/2/kpatch.bin 2 255 CloudLinux 3.10.0-714.10.2.lve1.4.77.el7.x86_64, default, , , False)



If kPTI patches can't be applied on Xen PV, that's fine for us, but please don't remind us every 4 hours ;-)

Keep getting: # kcarectl -u Updates already downloaded Unable to apply patch (/var/cache/kcare/4796c6a424d5f4abf9482d4e335a60d79a6de997/2/kpatch.bin 2 255 CloudLinux 3.10.0-714.10.2.lve1.4.77.el7.x86_64, default, , , False) [ 37.366513] kpatch: can't apply kPTI patch to Xen PV domain [ 37.366545] kpatch: initcall at ffffffffa042b610 failed... # uname -r 3.10.0-714.10.2.lve1.4.77.el7.x86_64 Also keep getting mails of this: Cron /usr/bin/kcarectl --auto-update --gradual-rollout=auto Unable to apply patch (/var/cache/kcare/4796c6a424d5f4abf9482d4e335a60d79a6de997/2/kpatch.bin 2 255 CloudLinux 3.10.0-714.10.2.lve1.4.77.el7.x86_64, default, , , False) If kPTI patches can't be applied on Xen PV, that's fine for us, but please don't remind us every 4 hours ;-)
by Guest - Alexandre / Wednesday, 07 February 2018 16:57

It is OK to disable KC auto-updates (in /etc/sysconfig/kcare/kcare.conf) for Xen PV systems until we find a workaround for this issue.

It is OK to disable KC auto-updates (in /etc/sysconfig/kcare/kcare.conf) for Xen PV systems until we find a workaround for this issue.
by Guest - Bojan / Wednesday, 07 February 2018 10:23

This is huge! Congratulations. Keep up the good work!

This is huge! Congratulations. Keep up the good work!
by Guest - somebody / Thursday, 08 February 2018 22:38

Applying microcode typically requires reboot (but we will try to allow doing it via KC)


Are you working on this or must we need to reboot the server for the microcode update?

[quote]Applying microcode typically requires reboot (but we will try to allow doing it via KC)[/quote] Are you working on this or must we need to reboot the server for the microcode update?
by Alexandre Parubochyi / Friday, 09 February 2018 08:01

Microcode updates can often be applied without reboots - it really depends on hardware manufacturers.
There is a microcode_ctl command in RHEL/CentOS/CL 7 that allows to update microcode on running system. Otherwise, if bios update is required from vendor, then reboot might be needed.

Microcode updates can often be applied without reboots - it really depends on hardware manufacturers. There is a microcode_ctl command in RHEL/CentOS/CL 7 that allows to update microcode on running system. Otherwise, if bios update is required from vendor, then reboot might be needed.
by Guest - Guest / Tuesday, 13 February 2018 17:58

There appears to be a lot of confusion on the kernelcare position regarding Xen PV kernels. You state in this mess that "* Xen PV is not (and will not) supported", yet on Facebook you replied to a comment with, "Most likely this week we will release the fix for Xen PV in Beta. And yes, it will be supported.".

https://www.facebook.com/CloudLinux/posts/1546425625410582?comment_id=1548975551822256

Can you please clarify if Xen PV kernels are on the roadmap, and if see when we may expect to see those kernels?

Thank you -

There appears to be a lot of confusion on the kernelcare position regarding Xen PV kernels. You state in this mess that "* Xen PV is not (and will not) supported", yet on Facebook you replied to a comment with, "Most likely this week we will release the fix for Xen PV in Beta. And yes, it will be supported.". https://www.facebook.com/CloudLinux/posts/1546425625410582?comment_id=1548975551822256 Can you please clarify if Xen PV kernels are on the roadmap, and if see when we may expect to see those kernels? Thank you -
by Guest - Alexandre / Tuesday, 13 February 2018 18:10

Sorry for the confusion - Xen PV fix will be available by the end of this week.

Sorry for the confusion - Xen PV fix will be available by the end of this week.
by Guest - guest / Tuesday, 13 February 2018 18:20

That's great to hear - thank you very much.

I'll keep an eye on this blog posts for updates.

That's great to hear - thank you very much. I'll keep an eye on this blog posts for updates.
by Guest - Denis / Tuesday, 27 February 2018 10:26

Have you release kernelcare spectre v1/v2 patches for CL6 yet ??? There is so much conflicting information all over the place it's impossible to tell what's actually been patched

Have you release kernelcare spectre v1/v2 patches for CL6 yet ??? There is so much conflicting information all over the place it's impossible to tell what's actually been patched
by Guest - Atiq Ch / Friday, 09 March 2018 09:05

Is xenserver PV fix released ?

Is xenserver PV fix released ?
by Guest - Alexandre / Friday, 09 March 2018 17:48

Should work now on all distros except Proxmox VE 3

Should work now on all distros except Proxmox VE 3
by Guest - Norman / Thursday, 05 April 2018 12:35

Kernel care installed on fully updated Centos 6.9 machine. But still no patch applied for meltdown.

Attached herewith is image for reference http://imtp.me/e3bj02tgz.p

Its mean still patch is not released for xen PV machines.

Kernel care installed on fully updated Centos 6.9 machine. But still no patch applied for meltdown. Attached herewith is image for reference http://imtp.me/e3bj02tgz.p Its mean still patch is not released for xen PV machines.
by Guest - Alexandre / Friday, 06 April 2018 15:34

Norman, please submit a ticket at https://cloudlinux.zendesk.com (KernelCare department) so our support team can check this.

Norman, please submit a ticket at https://cloudlinux.zendesk.com (KernelCare department) so our support team can check this.
by Guest - Key / Saturday, 19 May 2018 02:06

Seems there are openvz updates related to this available: https://openvz.org/Download/kernel/rhel6/042stab129.1

Are you able to patch this security issues with kernelcare or must i update the kernel and reboot?

Seems there are openvz updates related to this available: https://openvz.org/Download/kernel/rhel6/042stab129.1 Are you able to patch this security issues with kernelcare or must i update the kernel and reboot?
by Irina Semenova / Thursday, 24 May 2018 12:12

Meltdown and Spectre fixes were patched for OpenVZ

Meltdown and Spectre fixes were patched for OpenVZ
by Irina Semenova / Thursday, 24 May 2018 12:12

Meltdown and Spectre fixes were patched for OpenVZ

Meltdown and Spectre fixes were patched for OpenVZ
by Guest - Matthias / Sunday, 17 June 2018 02:09

What is about spectre-NG?

What is about spectre-NG?

Leave your comment

Guest, Saturday, 17 November 2018

Captcha Image