OSETC TECH

Linux: Patch Meltdown CPU Vulnerability CVE-2017-5754

This post will guide you how to patch meltdown CPU Vulnerability CVE-2017-5754 on CentOS/RHEL/Ubuntu Linux. How do I upgrade the latest Linux kernel to fix Meltdown CPU Vulnerability in your Linux system.

What is CVE-2017-5754?


An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue.

Patch meltdown CPU Vulnerability CVE-2017-5754


For CentOS/RHEL Linux:

You need to update the current kernel to the latest version, type:

# yum update –y

For Ubuntu Linux:

Type the following command:

$ sudo apt-get update

Check Meltdown Patch


Type the following command:

# rpm -q --changelog kernel | egrep 'CVE-2017-5754'

Outputs:

[root@devops ~]# rpm -q --changelog kernel | egrep 'CVE-2017-5754'
- [powerpc] kvm: book3s: Provide information about hardware/firmware CVE workarounds (Serhii Popovych) [1532077] {CVE-2017-5754}
- [x86] entry: Invoke TRACE_IRQS_IRETQ in paranoid_userspace_restore_all (Andrea Arcangeli) [1519801 1519798 1519786] {CVE-2017-5715 CVE-2017-5753 CVE-2017-5754}
- [x86] cpu: fix get_scattered_cpu_leaf for IBPB feature (Andrea Arcangeli) [1519801 1519798 1519786] {CVE-2017-5715 CVE-2017-5753 CVE-2017-5754}
- [x86] spec_ctrl: show added cpuid flags in /proc/cpuinfo after late microcode update (Andrea Arcangeli) [1519801 1519798 1519786] {CVE-2017-5715 CVE-2017-5753 CVE-2017-5754}
- [x86] spec_ctrl: svm: spec_ctrl at vmexit needs per-cpu areas functional (Andrea Arcangeli) [1519801 1519798 1519786] {CVE-2017-5715 CVE-2017-5753 CVE-2017-5754}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519801 1519798 1519786] {CVE-2017-5715 CVE-2017-5753 CVE-2017-5754}
- [x86] spec_ctrl: Eliminate redundnat FEATURE Not Present messages (Andrea Arcangeli) [1519801 1519798 1519786] {CVE-2017-5715 CVE-2017-5753 CVE-2017-5754}
- [x86] kaiser/mm: skip IBRS/CR3 restore when paranoid exception returns to userland (Andrea Arcangeli) [1519801 1519798 1519786] {CVE-2017-5715 CVE-2017-5753 CVE-2017-5754}
- [x86] spec_ctrl: set IBRS during resume from RAM if ibrs_enabled is 2 (Andrea Arcangeli) [1519801 1519798 1519786] {CVE-2017-5715 CVE-2017-5753 CVE-2017-5754}
- [x86] spec_ctrl: allow use_ibp_disable only if both SPEC_CTRL and IBPB_SUPPORT are missing (Andrea Arcangeli) [1519801 1519798 1519786] {CVE-2017-5715 CVE-2017-5753 CVE-2017-5754}