Meltdown and Spectre Attacks
Severity
Advisory/Critical
Description
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
Affected Products and Versions
All versions of Cloud Foundry are potentially affected. More information will be added to this page as it is made available.
Mitigation
- Mitigations for these issues are expected to be necessary at several levels, including infrastructure and operating systems. Information for major providers is available on the Meltdown/Spectre website [1].
- The Cloud Foundry Project intends to provide new versions of stemcells as soon as updates are released upstream.
- Update: As of January 24, BOSH stemcells for Ubuntu [11] have been released to mitigate Meltdown and Spectre. Further releases from Ubuntu are possible but none are currently expected. [6]
- Windows stemcells v1200.13 available on bosh.io address Microsoft’s guidance for protection against “speculative execution side-channel vulnerabilities”[9] . For vSphere, see instructions for building the stemcell [10].
See the following table for information related to specific infrastructures. We will update this table as more information is available.
| Cloud Provider | Hypervisor Patch Status |
| Amazon AWS | AWS hypervisors are now mostly protected and require VM instance restarts |
| Google Cloud | Google infrastructure is patched and used live migration for VM instance restarts |
| Microsoft Azure | Azure mostly updated and requires VM instance restarts |
| OpenStack | OpenStack Vendor dependent |
| VMWare vSphere | See VMWare knowledge base article for updates |
References
- [1] https://meltdownattack.com and https://spectreattack.com
- [2] https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html
- [3] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
- [4] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
- [5] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754
- [6] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
- [7] https://www.cloudfoundry.org/usn-3522-2/
- [8] https://bosh.io
- [9] https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
- [10] https://github.com/cloudfoundry-incubator/bosh-windows-stemcell-builder/wiki/Creating-a-vSphere-Stemcell-by-Hand
- [11] https://www.cloudfoundry.org/blog/usn-3540-2/
