Issue:
Apply patching for new issues made public on 2018 Jan 03 for CVE-2017-5715 ( Spectre ), CVE-2017-5753 ( Spectre ), CVE-2017-5754 ( Meltdown ).
Remediation:
Below are the steps we performed for Ubuntu 16.x CentOS 6.9 and CentOS 7.x.
Mac:
If running macOS 10.11.2 or 10.13.2, click the App Store icon, switch to the Updates tab (along the top), and click the Check for Updates button.
If you have any Security updates pending, install them. If not, you are already patched / mitigated.
Ubuntu:
1. Login with an administrative account w/sudo rights.
2. Note the currently running kernel (incase you need to revert to it)
$ sudo uname -r
3. Run the following update commands:
$ sudo apt-get update
$ sudo apt-get upgrade
Answer Y to confirm package installs which will include kernel updates.
(wait for installs)
$ sudo reboot
(Reboot so we use the new kernel.)
4. Login again.
5. Display the kernel so we can compare to the Ubuntu fix repository.
$ sudo uname -r
Compare release to the CVE from Canonical...
e.g.
people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html
6. Everything running okay? If so, remove the unused kernels to free up /boot partition space.
$ sudo apt autoremove
CentOS / RedHat
1. Login with an administrative account w/sudo rights.
2. Note the currently running kernel (incase you need to revert to it)
$ sudo uname -r
3. Run the following update commands:
$ sudo yum update
Answer Y to confirm package installs which will include kernel updates.
(wait for installs)
$ sudo reboot
(Reboot so we use the new kernel.)
4. Login again.
5. Display the kernel.
$ sudo uname -r
6. Check for the CVE's in the changelog:
$ rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Notes:
If you don't see any text, you didn't upgrade high enough, or the mirror doesn't have the latest updates. On one of our CentOS 6.9 servers, its current repo mirror didn't have the kernel updates yet. I had to remove the cache of mirrored servers and run again. It then chose another mirror which had the updates. Also, note that the kernel numbers for CentOS 7 vs CentOS 6.9 have different numbers but the latest kernel updates to both address the CVEs.
MS Windows:
<Start> Control Panels --> System and Security --> Windows Update
Click the check for updates button, wait.
Click the Install updates button, wait.
VMware
VMware released patches for ESX 6.5, 6.0, and 5.5. Read the VMSA-2018-0002 release.
previous page
|