Hi,
TL;DR version: We're not patching and rebooting for this because
it's best fixed in your guests. If you had bare metal you'd have no
choice and would be doing that anyway.
Long version:
There is a Xen Security Advisory today which is yet more fallout
from the same class of CPU security issues as "Spectre" and
"Meltdown":
<https://xenbits.xen.org/xsa/advisory-263.html>
Usually there is a 2 week embargo on these things but as I
understand it there is no embargo this time because the discoverers
did not agree to one.
This issue is a hardware / design flaw which affects almost every
CPU in the world (all Intel, many AMD, some ARM). The potential
impact is unprivileged processes being able to read arbitrary
memory.
The Xen developers do not believe that it is possible for this to go
between guests nor between guest and hypervisor, so this restricts
the issue to processes within your guest.
As this also affects bare metal and almost every other configuration
of Linux, it will be addressed in software by your operating system
vendors by means of package update.
Some of the software fixes require updated firmware, and these
firmware updates have already been applied so that is ready for you
when you need it.
The patches supplied by Xen for this XSA do allow us to fix the
issue at a higher level in the hypervisor, thus not requiring any
changes in your VPSes, but at a cost of having to schedule another
round of reboots.
At this stage I am not inclined to enforce a reboot for this; I
think it's best fixed in the guests.
In the near future we will deploy one new host that has this bug
addressed at the hypervisor level and anyone who for whatever reason
cannot update their VPS can have it moved to that host.
This could be subject to change if there are further discoveries
about this particular bug, and I also doubt we have heard the last
of security bugs in this class. There could well be another XSA
along soon that requires reboot, in which case we may end up turning
this mitigation on as well at that time.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hello,
Sadly today we've been made aware of another security issue that's
going to have to be patched, which means once again we have to
reboot everything.
It is a pity they couldn't have held the last one back for a week in
which case we'd have been able to roll the two patches together, but
they have a schedule for disclosure that they have to stick to.
So, this set of reboots is most likely to take place in the early
hours of the morning on 5/6/7 May. In the next couple of days we
will send out direct mails to all customers to let you know exactly
when your one hour maintenance window will be.
We should be able to use suspend/restore on this one so those who
have indicated that they want that should see that happen. You can
set that from:
<https://panel.bitfolk.com/account/config/>
For the benefit of new customers joining us what all this means is
that some time during the one hour maintenance window that you'll be
informed of individually by direct email, we will:
- Suspend to disk all the VPSes that have opted for that
- Shut down the rest cleanly
- Reboot the server into the patched hypervisor
- Restore the suspended VPSes
- Boot the rest
Although the maintenance window for each server is one hour long,
the work generally takes about 15 minutes.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
