Red Hat reverts microcode update to mitigate Spectre, refers to hardware vendors for fix

Mattias Geniar, Wednesday, January 17, 2018

The content of this message is behind a pay/subscription wall, so let me highlight the most important aspects. Red Hat just informed its clients that it will rollback a microcode update that was designed to mitigate the Spectre attack (variant 2).

This was in their e-mail notification:

Latest microcode_ctl package will not contain mitigation for CVE-2017-5715 (Spectre, Variant 2)

Historically, for certain systems, Red Hat has provided updated microprocessor firmware, developed by our microprocessor partners, as a customer convenience. Further testing has uncovered problems with the microcode provided along with the “Spectre” CVE-2017-5715 mitigation that could lead to system instabilities. As a result, Red Hat is providing a microcode update that reverts to the last known and tested microcode version dated before 03 January 2018 and does not address “Spectre” CVE-2017-5715.

In order to mitigate “Spectre” CVE-2017-5715 fully, Red Hat strongly recommends that customers contact their hardware provider for the latest microprocessor firmware updates.

Here's the relevant bit from their KB article.

Red Hat Security is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor.

The latest microcode_ctl and linux-firmware packages from Red Hat do not include resolutions to the CVE-2017-5715 (variant 2) exploit. Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot.

The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor.

Source: What CPU microcode is available via the microcode_ctl package to mitigate CVE-2017-5715 (variant 2)?

This will also affect derived distributions like CentOS, which we use heavily at Nucleus. This patching round isn't over, that's for sure.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Stephen Wednesday, January 17, 2018 at 19:23 - Reply

Well, that’s frustrating: 5 minutes ago, the Intel site’s latest statement was dated Jan. 11, and it says “End-users should continue to apply updates recommended by their system and operating system providers.”


svennd Thursday, January 18, 2018 at 11:23 - Reply

So who should / can fix it ? is it Intel/supermicro/distro/application/… ? I’m also wondering how the rest of the world fixes these bugs guys like windows, digital ocean, aws, google, …

I kinda lost track.


Neil Thursday, January 18, 2018 at 20:33 - Reply

So I’m welcome to contact my CPU vendor who will provide me with microcode which has “instabilities introduced that are causing customer systems to not boot”?

There’s a high chance they won’t admit that, so I’ll apply them and then our systems won’t boot and then we’ll sit in downtime for x days whilst we do a dance with CPU vendor support whilst being unsupported by RedHat.

Probably not a good suggestion RedHat.


Leave a Reply

Your email address will not be published. Required fields are marked *