Solution and Patch for Meltdown Spectre CPU Vulnerability

A very serious security problem has been found and patched in the Linux kernel. It was announced on 3rd January 2018. Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Learn more how this Solution and Patch for Meltdown Spectre CPU Vulnerability.

We need to update fixes to mitigate all 3 variants CVE-2017-5753 (variant 1), CVE-2017-5715 (variant 2), and CVE-2017-5754 (variant 3) on your machine.

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

A list of affected Linux distro by Spectre Vulnerabilities.

Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
RHEV-M 4.0
RHEV-M for Servers
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
Red Hat Enterprise MRG 2
Red Hat OpenStack Platform v 8/9/10/11/12
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Deiban Linux buster, sid
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE OpenStack Cloud 6
Openstack Cloud Magnum Orchestration 7
SUSE Container as a Service Platform ALL
SUSE Linux Enterprise High Availability 12 SP2/SP3
SUSE Linux Enterprise Live Patching 12
SUSE Linux Enterprise Module for Public Cloud 12
SUSE Linux Enterprise Server 11 SP3-LTSS
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Software Development Kit 11/12 SP3/SP4
SUSE Linux Enterprise for SAP 12 SP1
SUSE Linux Enterprise 11
SUSE Linux Enterprise 12
OpenSuse Linux based upon SUSE 12/11
Fedora Linux 26
Fedora Linux 27
Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

meltdown and spectre Vulnerability

How to fix Meltdown Spectre CPU Vulnerability on CentOS/RHEL/Fedora/Oracle

run yum update command, Note: This will upgrade your OS version

# sudo uname -r
3.10.0-327.10.1.el7.x86_64

# sudo yum update -y
# sudo reboot

Once rebooted, verify your kernel version

# sudo uname -r
3.10.0-693.21.1.el7.x86_64

Use below command to verify the patchs in kernel.

# rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

 

The solution for the Meltdown and Spectre Vulnerability on a Debian/Ubuntu Linux

# sudo apt-get update
# sudo apt-get dist-upgrade
# sudo reboot

 

The solution for the Meltdown and Spectre Vulnerability on Amazon Linux running on AWS

run yum command:
# yum update kernel
# reboot

 

The solution for the Meltdown and Spectre Vulnerability on Arch Linux

run pacman command:
# pacman -Syu
# reboot

 

The solution for the Meltdown and Spectre Vulnerability on Suse Enterprise Linux Server 12-SP3

Execute the zypper command:
# zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-12=1
### [ To bring your system up-to-date ] ###
# zypper patch
# reboot

 

How to patch Meltdown and Spectre Vulnerability in existing OS version.

 

Upgrade kernel version on CentOS 7.2. First, check the kernel dependencies and update it.

Example

[[email protected] ~]# rpm -ivh kernel-3.10.0-693.21.1.el7.x86_64.rpm
error: Failed dependencies:
dracut >= 033-502 is needed by kernel-3.10.0-693.21.1.el7.x86_64
linux-firmware >= 20170606-55 is needed by kernel-3.10.0-693.21.1.el7.x86_64
xfsprogs < 4.3.0 conflicts with kernel-3.10.0-693.21.1.el7.x86_64
kmod < 20-9 conflicts with kernel-3.10.0-693.21.1.el7.x86_64
kexec-tools < 2.0.14-3 conflicts with kernel-3.10.0-693.21.1.el7.x86_64

Solution

[[email protected] ~]# yum update dracut linux-firmware xfsprogs kmod kexec-tools kernel-3.10.0-693.21.1.el7.x86_64 -y
[[email protected] ~]# reboot

 

[[email protected] ~]# uname -r
3.10.0-693.21.1.el7.x86_64

 

[[email protected] ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

Upgrade kernel version on CentOS 7.3. First, check the kernel dependencies and update it.

[[email protected] ~]# rpm -ivh kernel-3.10.0-693.21.1.el7.x86_64.rpm
error: Failed dependencies:
dracut >= 033-502 is needed by kernel-3.10.0-693.21.1.el7.x86_64
linux-firmware >= 20170606-55 is needed by kernel-3.10.0-693.21.1.el7.x86_64
kexec-tools < 2.0.14-3 conflicts with kernel-3.10.0-693.21.1.el7.x86_64

[[email protected] ~]# yum update dracut linux-firmware kexec-tools kernel-3.10.0-693.21.1.el7.x86_64 -y
[[email protected] ~]# reboot

 

[[email protected] ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

 

[[email protected] ~]# uname -r
3.10.0-693.21.1.el7.x86_64

 

You can verify the Meltdown security bug patch in kernel.

[[email protected] ~]# rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'

 

 

How to Expose Docker API on CentOS

Docker provides an API for interacting with the Docker daemon (called the Docker Engine API), as well as SDKs for Go and Python. The SDKs allow you to build and scale Docker apps and solutions quickly and easily. If Go or Python don’t work for you, you can use the Docker Engine API directly.

The Docker Engine API is a RESTful API accessed by an HTTP client such as wget or curl, or the HTTP library which is part of most modern programming languages.

  • The version of the Docker Engine API you should use depends upon the version of your Docker daemon and Docker client.
  • The Docker API is backward-compatible, so you do not need to update code that uses the API unless you need to take advantage of new features.

Expose-Docker-API

How to Expose Docker API on Centos 7

– Check your docker daemon service loaded the file.

# sudo systemctl status docker

[[email protected]]# sudo systemctl status docker
● docker.service – Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-01-30 12:55:41 PST; 1 day 3h ago
Docs: https://docs.docker.com

– Open that file using your favorite editor

# sudo vi /usr/lib/systemd/system/docker.service

– Add -H tcp://0.0.0.0:4243 this code where starts with ExecStart.  You can also expose different port and IPs.

ExecStart=/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:4243

– Save the modified file.

– Make sure the Docker service notices the modified configuration

# sudo systemctl daemon-reload

– Restart the Docker service

# sudo service docker restart

Test that the Docker API is accessible from outside.

# sudo curl <server-ip>:2375/images/json

It could be the security problem if we enabled the docker API via the public network and default port. Review the security concerns.

 

How to manage ESXi Firewall Configuration

ESXi hosts have an inbuilt firewall setting between the management interface and the rest of the network. The firewall is configured to drop all incoming and outgoing traffic but for a specific set of services in ESXi Host.In order to secure ESXi host by allowing only certain IP addresses or IP ranges after a fresh installation of ESXi, you can use the ESXi vSphere client, vCenter or vSphere ESXi CLI to configure the firewall settings.

Manage ESXi firewall Using vSphere client

It is an easy way to configure the firewall settings using a vSphere client or ESXi vCenter GUI.

  • Login your vSpere client
  • Click ESXi host
  • Go to Configuration
  • Click Security Profile under Software   – You can see the services list and firewall
  • Click Properties on Firewall Section
  • Select your service and click firewall
  • Update your IP address or IP range to allow traffic for your particular service.

ESXi Cli Commands

 

Manage ESXi firewall Using ESXi CLI

Login your ESXi host.

Use the following command to manage your Firewall settings.

 

esxcli network firewall get          – Returns the enabled or disabled status of the firewall and lists default actions.
esxcli network firewall set –default-action       – Update default actions.
esxcli network firewall set –enabled       – Enable or disable the ESXi firewall.
esxcli network firewall load         – Load the firewall module and rule set configuration files.
esxcli network firewall refresh       – Refresh the firewall configuration by reading the rule set files if the firewall module is loaded.
esxcli network firewall unload        – Destroy filters and unload the firewall module.
esxcli network firewall ruleset list       – List rule sets information.
esxcli network firewall ruleset set –allowed-all         – Set the allowed all flag.
esxcli network firewall ruleset set –enabled       – Enable or disable the specified rule set.
esxcli network firewall ruleset allowedip list       – List the allowed IP addresses of the specified rule set.
esxcli network firewall ruleset allowedip add       – Allow access to the rule set from the specified IP address or range of IP addresses.
esxcli network firewall ruleset allowedip remove       – Remove access to the rule set from the specified IP address or range of IP addresses.

ESXi CLI Command Examples

Display the firewall status

[[email protected]:~] esxcli network firewall get   Default Action: DROP   Enabled: true   Loaded: true

Specify specific IP Address or IP ranges to access a particular service. The following example disable the allow all option and specifies a particular range for the sshServer service.

[[email protected]:~] esxcli network firewall ruleset set --allowed-all false --ruleset-id=sshServer

[[email protected]:~] esxcli network firewall ruleset allowedip add --ip-address=192.168.0.0/24 --ruleset-id=sshServer

or

[[email protected]:~] esxcli network firewall ruleset allowedip add -i=192.168.0.0/24 -r=sshServer

To remove specified IP address

[[email protected]:~] esxcli network firewall ruleset allowedip remove --ip-address=192.168.0.0/24 -r=sshServer

List rules associated with a particular service’s ruleset

[[email protected]:~] esxcli network firewall ruleset rule list | grep sshServer

sshServer                 Inbound    TCP       Dst                22        22

or

[[email protected]:~] esxcli network firewall ruleset rule list -r "sshServer"

sshServer                 Inbound    TCP       Dst                22        22

If you want to check all allowed IP address for all the services. Use below command.

[[email protected]:~] esxcli network firewall ruleset allowedip listRuleset                   Allowed IP Addresses  ------------------------------------------------sshServer                 192.168.0.0/24, 10.1.0.14, 172.0.0.2

Ruleset                   Allowed IP Addresses

sshServer                 192.168.0.0/24, 10.1.0.14, 172.0.0.2
sshClient                 All                                                                                                                                          

nfsClient                 All        

List all the rulesets for which the allowedip list has been enabled

[[email protected]:~] esxcli network firewall ruleset allowedip list | grep -v "All"

List the default firewall rules

[[email protected]:~] esxcli network firewall ruleset list

Name                      Enabled

------------------------  -------

sshServer                    true

sshClient                    true

nfsClient                   false

nfs41Client                 false

dhcp                         true

dns                          true

snmp                         true

ntpClient                   false

CIMHttpServer                true

CIMHttpsServer               true

CIMSLP                       true

iSCSI                        true

vpxHeartbeats                true