Disclaimer: this document may contain information about third-party products that are for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.
Overview
This topic describes the CPU vulnerabilities in the Alibaba Cloud Linux 2 system, vulnerability profiles, and how to disable vulnerability fixes.
Detailed information
Alibaba Cloud reminds you that:
- If you have any risky operations on an instance or data, pay attention to the disaster tolerance and fault tolerance capabilities of the instance to ensure data security.
- If you modify the configuration and data of an instance (including but not limited to ECS and RDS), we recommend that you create snapshots or enable RDS log backup.
- If you have granted permissions on the Alibaba Cloud platform or submitted security information such as the logon account and password, we recommend that you modify the information as soon as possible.
Background information
In January 2018, Google Project Zero security vulnerabilities in modern processors released Spectre and Meltdown. These vulnerabilities can be used by an attacker to steal data of a high privilege, posing a serious threat to the system security. At the same time, these two sets of vulnerabilities almost involve most of today's mainstream processors (including Intel, AMD, ARM and other architectures), which have aroused extensive discussion since they were made public. Inevitably, Alibaba Cloud-related products will also be affected by this vulnerability. Then, all mainstream operating systems including Linux carried out corresponding software fixes to the vulnerabilities. In addition, since January 2018, when pectre and Meltdown were first discovered, new variants and new types of vulnerabilities have been developed. The existence of these vulnerabilities will become the norm.
Vulnerability details
Note:
- These vulnerabilities take advantage of the Speculative Execution and Out-of-order Execution features of the processor hardware, which are indispensable for improving the performance of modern processors. As a result, some of the fixes may lead to a greater performance rollback.
- Software fixes usually alleviate the problem, but cannot cure the vulnerability.
| CVE | Alibaba Cloud Linux 2 configuration file related to this vulnerability in the operating system. | Default handling method for Alibaba Cloud Linux 2 | Disable vulnerability repair |
| Spectre Variant 1(Bounds Check Bypass) | /sys/devices/system/cpu/vulnerabilities/spectre_v1 |
Enable vulnerability repair | Forced open and unable to close |
| Spectre Variant 1(swapgs) | /sys/devices/system/cpu/vulnerabilities/spectre_v1 |
Enable vulnerability repair |
|
| Spectre Variant 2 | /sys/devices/system/cpu/vulnerabilities/spectre_v2 |
Enable vulnerability repair (spectre_v2=auto) |
|
| Spectre Variant 4(Speculative Store Bypass) | /sys/devices/system/cpu/vulnerabilities/spec_store_bypass |
If the processor supports speculative Store Bypass Disable, repair is enabled; Otherwise, no repair is enabled.(spec_store_bypass_disable=auto) |
|
| Meltdown | /sys/devices/system/cpu/vulnerabilities/meltdown |
Enable vulnerability repair (pti=auto) |
|
| L1TF | /sys/devices/system/cpu/vulnerabilities/l1tf |
Only the Guest Kernel PTE Inversion repair |
|
| MDS | /sys/devices/system/cpu/vulnerabilities/mds
Note: Only
|
Only the Guest Kernel CPU buffer clear repair |
|
Note:
- The configuration file Alibaba Cloud Linux 2 system vulnerabilities indicates whether the current instance has CPU vulnerabilities and the resolution measures taken. For example:
Not affected: The current CPU does not exist.Vulnerable: the CPU has this vulnerability and has not taken any mitigation measures.Mitigation: the CPU is suffering from this vulnerability and has taken mitigation measures accordingly.- For more information, click the vulnerability name.
Applicable to
- Elastic Compute Service