This topic may contain information about third-party tools. The information is only for reference. Alibaba Cloud does not guarantee or make commitments to the performance and reliability of third-party tools, or the potential impacts of operations on the tools.
Overview
This topic describes the CPU vulnerabilities that exist in Alibaba Cloud Linux 2, the sysfs files for the vulnerabilities, and how to disable mitigations for the vulnerabilities. You can disable mitigations for the CPU vulnerabilities based on your business requirements.
Before you perform high-risk operations, such as modifying the configurations or data of Alibaba Cloud instances, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
Before you modify the configurations or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backup for the instance. For example, you can enable log backup for an ApsaraDB RDS instance.
If you granted access permissions on or submitted sensitive information (such as usernames and passwords) in the Alibaba Cloud Management Console, we recommend that you modify the information at the earliest opportunity.
Background information
In January 2018, Google Project Zero publicly disclosed new security vulnerabilities known as Spectre and Meltdown that affect modern processors. Attackers may exploit the vulnerabilities to steal privileged data and severely compromise system security. The Spectre and Meltdown vulnerabilities are present in most mainstream processors, including Intel, AMD, and ARM processors, and attracted much attention since the disclosure. Alibaba Cloud products are affected by the vulnerabilities. Mainstream operating systems, including Linux operating systems, provide software mitigations for vulnerabilities. The Spectre and Meltdown vulnerabilities continue to evolve into more variants and types since the disclosure in January 2018, and are expected to linger for an extended period of time.
Vulnerability details
The Spectre and Meltdown vulnerabilities exploit the speculative execution and out-of-order execution features on processor hardware that are essential for improving processor performance. Mitigations for the Spectre and Meltdown vulnerabilities significantly degrade CPU performance.
In most cases, software mitigations can only mitigate the vulnerabilities, but cannot eliminate the vulnerabilities.
The following table describes the Spectre and Meltdown vulnerabilities that exist in Alibaba Cloud Linux 2 and how to disable mitigations for the vulnerabilities.
CVE | Path to the sysfs file of the vulnerability | Default handling method | Method for disabling mitigations |
| Mitigations are enabled. | Mitigations are force enabled and cannot be disabled. | |
| Mitigations are enabled. |
Note Only kernel | |
| The spectre_v2 parameter is set to auto to enable mitigations. |
| |
| The spec_store_bypass_disable parameter is set to auto to enable or disable mitigations based on whether the processor supports the |
| |
| The pti parameter is set to auto to enable mitigations. |
| |
| In the guest kernel, only the |
| |
Note Only
kernel
| In the guest kernel, only the |
Note Only kernel |
The sysfs files in Alibaba Cloud Linux 2 indicate whether CPUs on the current instance are vulnerable and which mitigations are active. Valid values in the files:
Not affected: The CPU is not vulnerable.Vulnerable: The CPU is vulnerable and no mitigations are enabled.Mitigation: The CPU is vulnerable and mitigations are enabled.
For information about each vulnerability, click the vulnerability name to view the details of the vulnerability.