How To Protect Your Server Against the Meltdown and Spectre Vulnerabilities

Hi all, for all Ubuntu 16.04 users please be aware that the kernel 4.4.0-108 is buggy!! https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1742323

Be sure to upgrade to kernel kernel 4.4.0-109 which was also released.

@jellingwood maybe you should update that in the post.

Even after doing this on a CentOS 7.4 Droplet, spectre-meltdown-checker reports:

• Mitigation 2
• Kernel compiled with retpoline option: NO
• Kernel compiled with a retpoline-aware compiler: NO

STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

How do we fix this?

If your droplet won’t switch to the latest kernel after the described updates and your droplet uses “external kernel management” (ie. changing the kernel via the control panel), you might want to consider changing to “Internal Kernel Management” following https://www.digitalocean.com/community/tutorials/how-to-update-a-digitalocean-server-s-kernel

After that you’ll be able to explicitly change to the kernel you want to use.

Ubuntu 16.04 kernel is updated again, or at least before a link to this post was emailed to me today, I had just completed an upgrade to 4.4.0-112

i have no clue what to do… for someone who is not IT at all - this is mind blowing.

Yum update seems to “remove” the old kernel and installs the new one on Centos 7

yet a uname -r shows the old one still.

a yum update shows no new packages waiting.

No idea what went wrong here.

Just to be clear. Is simply changing the Kernel from the admin console good enough? Or do we still have to update the droplet after changing the kernel? Also some of my droplets have internally managed Kernels. What does that mean exactly?

$ sudo apt-get dist-upgrade >>> is failing on Ubuntu 16.04, I get this error:

Err:1 http://download.owncloud.org/download/repositories/stable/Ubuntu_16.04 owncloud-files 10.0.5-1.1 404 Not Found [IP: 138.201.139.178 80]

let us know when we can try again, thanks!

I’m having a bit of a tough time upgrading my kernels. Running CentOS 6, these are pretty old droplets so had to be changed to the GrubLoader kernel in the control panel. After doing that, they boot to a newer kernel, which is great. But it’s not the newest kernel.

If I try running yum upgrade kernel it seems to work, but throws out grubby fatal error: unable to find a suitable template and doesn’t have a new kernel on reboot. The grub conf file doesn’t even reference the kernel that I am running, so it’s clearly being ignored. Any suggestions? Any hints on how CentOS is actually deciding what kernel to run?

I don’t want to UPGRADE my whole OS

Just give required update please

And please TIME to offer AMD CPUs, enough of this Intel crap

I’m confused about my situation. My host is running on CentOS 6.9 provided by you. But I’ve changed the kernel from 2.6.32-696.18.7.el6.x86_64 to 4.14.14-1.el6.elrepo.x86_64 recently. What should I do ?

I have Ubuntu 16.04 and when running the upgrade I am getting the following message:

"A new version of /boot/grub/menu.lst is available, but the version installed currently has been locally modified.

What would you like to do about menu.lst?"

When I select the option “show side-byside difference between the versions” I get the following:

Line by line differences between versions                                                                  │
                                 │                                                                                                            │
                                 │ Old file: /run/grub/menu.lst root.root 0644 2018-01-27 12:08:50                                            │
                                 │ New file: /tmp/fileCrfBIN root.root 0600 2018-01-27 12:08:50                                               │
                                 │                                                                                                            │
                                 │ ## ## End Default Options ## ## ## End Default Options ##                                                  │
                                 │                                                                                                            │
                                 │ title Ubuntu 16.04.3 LTS, kernel 4.4.0-97-generic title Ubuntu 16.04.3 LTS, kernel 4.4.0-97-generic        │
                                 │ root (hd0) root (hd0)                                                                                      │
                                 │ kernel /boot/vmlinuz-4.4.0-97-generic root=LABEL=clo kernel /boot/vmlinuz-4.4.0-97-generic root=LABEL=clo  │
                                 │ initrd /boot/initrd.img-4.4.0-97-generic initrd /boot/initrd.img-4.4.0-97-generic                          │
                                 │                                                                                                            │
                                 │ title Ubuntu 16.04.3 LTS, kernel 4.4.0-97-generic ( title Ubuntu 16.04.3 LTS, kernel 4.4.0-97-generic (    │
                                 │ root (hd0) root (hd0)                                                                                      │
                                 │ kernel /boot/vmlinuz-4.4.0-97-generic root=LABEL=clo kernel /boot/vmlinuz-4.4.0-97-generic root=LABEL=clo  │
                                 │ initrd /boot/initrd.img-4.4.0-97-generic initrd /boot/initrd.img-4.4.0-97-generic                          │
                                 │                                                                                                            │
                                 │ ### END DEBIAN AUTOMAGIC KERNELS LIST ### END DEBIAN AUTOMAGIC KERNELS LIST

What do I select now?

I have Droplet with Ubuntu server 17.10. Here I can read that patched version is “kernel 4.13.0-25-generic”. I have updated server with “apt-get update”, “apt-get upgrade”, “apt-get install linux-image-generic” and everything is finished fine.

But, when I check with “uname -a”, I get information the “4.13.0-19-generic” is used. How can I upgrade to latest kernel?

For Ubuntu 16.04 is “dist-upgrade” necessary ? I simply did “upgrade” instead and rebooted and my kernel version is “4.4.0-112-generic” which is higher than the recommended “4.4.0-109-generic” Isn’t a simple “upgrade” sufficient and less risky than a “dist-upgrade” ?

I’m currently running: Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-57-generic x86_64)

I ran the update commands:

sudo apt-get update && sudo apt-get dist-upgrade

I saw this show up at the end of the dist-upgrade:

update-initramfs: Generating /boot/initrd.img-3.13.0-141-generic

but after I restarted, I’m still seeming my old kernel version in the welcome message and when running uname -a…

Am I doing something wrong here?

I have Ubuntu 14.04 and I do not want to update to 16.04 using “dist-upgrade” since this will cause some of my programs to stop working.

How can I update the kernel of 14.04 without upgrading to 16.04?

If it helps, I’ve just run through this process with lots of CentOS 6 boxes. The yum update kernel* worked great, but had to do two things to get the instance to pick up the new kernel 1 - in the DO control panel, under Kernel, select their GRUB loader version 0.2 2 - rpm -q kernel lists all the kernels installed. I used rpm -e to remove all the older versions - and the instance then booted into the latest kernel

Hope this helps - this is a brief summary of quite a few hours work updating tons of boxes!

I did follow the steps, rebooted the system and everything, but looks like my kernel version hasn’t been updated.

~$ sudo apt-get dist-upgrade Reading package lists… Done Building dependency tree Reading state information… Done Calculating upgrade… Done The following packages were automatically installed and are no longer required: libc-ares2 libv8-3.14.5 linux-headers-3.13.0-68 linux-headers-3.13.0-68-generic linux-image-3.13.0-68-generic linux-image-extra-3.13.0-68-generic Use ‘apt-get autoremove’ to remove them. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

~$ hostnamectl status Static hostname: dc-01 Icon name: computer-vm Chassis: vm Boot ID: 6658869fb9574f3186f8201ab51d44b8 Operating System: Ubuntu 14.04.5 LTS Kernel: Linux 3.13.0-57-generic Architecture: x86_64

Help! I am on a CentOS 6 droplet that is from 2013 (very old), and it has been on kernel 2.6.32-431.1.2.0.1.el6.x86_64. I did sudo yum update which was fine, but after sudo reboot it stayed on the old kernel. (I manage another newer CentOS 6 droplet from 2017, which was on 2.6.32-696.1.1.el6, and after reboot it went up to2.6.32-696.20.1.el6 so that is fine.)

To solve this, I tried to follow this: https://www.digitalocean.com/community/tutorials/how-to-update-a-digitalocean-server-s-kernel and did sudo rpm -e 2.6.32-431.1.2.0.1.el6.x86_64. After that, my instance no longer booted!

I had to restore from backup. Now, I’m back on older kernel, and I have no way to upgrade it.

Linode for example took care of this for their users. I don’t know why you ask your users to do this at their end. You should take care of it, because this is serious and can break up things. I noticed that it’s a trend to ask your users to do everything, even if it’s something that belongs to your core responsibilities. I followed the instructions above and I don’t know if this upgraded the kernel to 4.4.0-109 or not. I just followed what it’s above.

As expected, my sites went down and I had to restore my backup now. The backup restore worked fine though. I will submit a ticket. Apparently, the instructions above are not enough.

I was referred to Digital by a trusted techy colleague Because everything just worked and they have good support. Well, i have client website down and my techy colleague is overseas. Also, i have 20,000 email campaign launching in 8 hours with a push to social. I’m not techy and have no idea how to fix! HEEEEEEELP!!!

Will I get a newer kernel if I resize the droplets? I resized one droplet last time and now I am planning to update it’s kernel but when I checked it, it was already updated.

I don’t see any of the latest Ubuntu kernels in the dropdown list. I tried to upgrade to the latest one that is on the list (Ubuntu 16.04 x64 vmlinuz-4.4.0-28-generic), but my ssh keys were no longer on the server. I could not hit the I could even hit the website it runs. It just times out. I went to the help pages for upgrading to Ubuntu and there is literally nothing there. It shows the title and there is no article.

Hi all,

I’m looking for a straight forward (plain talking) answer to the (unanswered) question under the above Contents “Am I Affected by the Meltdown and Spectre?”

The best offering I’ve been able to find from the ongoing comments is to use: https://github.com/speed47/spectre-meltdown-checker

After having run this script, it seems my tested droplet is indeed vulnerable to one of the variants - despite having taken a snapshot, apt-get update, apt-get dist-grade, reboot!

I also noticed (above) comments relating to running ‘uname -ir’ but then failed to state what to expect in the response. Mine states: ‘4.4.0-112-generic x86_64’ is that okay? I’m guessing not, since the script still shows the vulnerability.

So, let’s say we’ve now determined that our droplet has one (or more of ) the vulns, what are the next steps? What happens if you’ve carried out all the update advice but still get the vuln, what next? Watch this space?

I appreciate the ‘Current Mitigation Patch Status’ section states my distribution (Ubuntu 16:04) has a partial mitigation, but it kind of feels like I’ve been left hanging and don’t know what to do next.

However, that could just be me and I could have very easily missed something. Would appreciate any advice.

Running apt-get dist-upgrade on an Ubuntu 14.04 droplet brings me to a dialog on configuring grub-pc. What should I select? #2 is the default selection.

Configuring grub-pc  
A new version of configuration file /etc/default/grub is available, but the version installed currently has been locally modified.

What do you want to do about modified configuration file grub?

1) install the package maintainer's version
2) keep the local version currently installed
3) show the differences between the versions
4) show a side-by-side difference between the versions
5) show a 3-way difference between available versions
6) do a 3-way merge between available versions (experimental)
7) start a new shell to examine the situation

Thanks for your help! This is a busy production site so I don’t want to mess things up :)

I’ve run this: sudo apt-get update && sudo apt-get dist-upgrade And on reboot it’s showing my kernel as Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

Does this include the patches? Is there a command I can run to verify the patches were installed?

I see updating kernel inside droplet protects only against hostile users inside that droplet.

But how about other droplets on the same physical CPU? Is it safe to assume that same CPU “neighbor droplet” owner can’t access the memory space of our droplet via the meltdown bug?

Thanks for clarifications!