All Products
Search
Document Center

How to fix CPU vulnerabilities in the Alibaba Cloud Linux 2 system

Last Updated: Aug 28, 2020

Disclaimer: this document may contain information about third-party products that are for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

Overview

This topic describes the CPU vulnerabilities in the Alibaba Cloud Linux 2 system, vulnerability profiles, and how to disable vulnerability fixes.

Detailed information

Alibaba Cloud reminds you that:

  • If you have any risky operations on an instance or data, pay attention to the disaster tolerance and fault tolerance capabilities of the instance to ensure data security.
  • If you modify the configuration and data of an instance (including but not limited to ECS and RDS), we recommend that you create snapshots or enable RDS log backup.
  • If you have granted permissions on the Alibaba Cloud platform or submitted security information such as the logon account and password, we recommend that you modify the information as soon as possible.

Background information

In January 2018, Google Project Zero security vulnerabilities in modern processors released Spectre and Meltdown. These vulnerabilities can be used by an attacker to steal data of a high privilege, posing a serious threat to the system security. At the same time, these two sets of vulnerabilities almost involve most of today's mainstream processors (including Intel, AMD, ARM and other architectures), which have aroused extensive discussion since they were made public. Inevitably, Alibaba Cloud-related products will also be affected by this vulnerability. Then, all mainstream operating systems including Linux carried out corresponding software fixes to the vulnerabilities. In addition, since January 2018, when pectre and Meltdown were first discovered, new variants and new types of vulnerabilities have been developed. The existence of these vulnerabilities will become the norm.

Vulnerability details

Note:

  • These vulnerabilities take advantage of the Speculative Execution and Out-of-order Execution features of the processor hardware, which are indispensable for improving the performance of modern processors. As a result, some of the fixes may lead to a greater performance rollback.
  • Software fixes usually alleviate the problem, but cannot cure the vulnerability.
CVE Alibaba Cloud Linux 2 configuration file related to this vulnerability in the operating system. Default handling method for Alibaba Cloud Linux 2 Disable vulnerability repair
Spectre Variant 1(Bounds Check Bypass) /sys/devices/system/cpu/vulnerabilities/spectre_v1 Enable vulnerability repair Forced open and unable to close
Spectre Variant 1(swapgs) /sys/devices/system/cpu/vulnerabilities/spectre_v1 Enable vulnerability repair

Note: Only 4.19.57-15.al7 and later versions.

  • nospectre_v1=off
  • mitigations=off
Spectre Variant 2 /sys/devices/system/cpu/vulnerabilities/spectre_v2 Enable vulnerability repair
(spectre_v2=auto)
  • nospectre_v2
  • spectre_v2=off
  • mitigations=off
    Note: Only 4.19.43-13.al7 and later versions.
Spectre Variant 4(Speculative Store Bypass) /sys/devices/system/cpu/vulnerabilities/spec_store_bypass If the processor supports speculative Store Bypass Disable, repair is enabled; Otherwise, no repair is enabled.
(spec_store_bypass_disable=auto)
  • spec_store_bypass_disable=off
  • nospec_store_bypass_disable
  • mitigations=off
    Note: Only 4.19.43-13.al7 and later versions.
Meltdown /sys/devices/system/cpu/vulnerabilities/meltdown Enable vulnerability repair
(pti=auto)
  • pti=off
  • nopti
  • mitigations=off
    Note: Only 4.19.43-13.al7 and later versions.
L1TF /sys/devices/system/cpu/vulnerabilities/l1tf Only the Guest Kernel PTE Inversion repair
  • l1tf=off
  • mitigations=off
    Note: Only 4.19.43-13.al7 and later versions.
MDS /sys/devices/system/cpu/vulnerabilities/mds
Note: Only 4.19.43-13.al7 and later versions.
Only the Guest Kernel CPU buffer clear repair

Note: Only 4.19.43-13.al7 and later versions.

  • mds=off
  • mitigations=off

Note:

  • The configuration file Alibaba Cloud Linux 2 system vulnerabilities indicates whether the current instance has CPU vulnerabilities and the resolution measures taken. For example:
    • Not affected: The current CPU does not exist.
    • Vulnerable: the CPU has this vulnerability and has not taken any mitigation measures.
    • Mitigation: the CPU is suffering from this vulnerability and has taken mitigation measures accordingly.
  • For more information, click the vulnerability name.

Applicable to

  • Elastic Compute Service