Most Intel CPUs and some ARM CPUs are currently vulnerable to Meltdown. It means, that it is possible to remotely execute unauthorized code on the servers that use those CPUs. Also, all CPUs (Intel, ARM and AMD) released in the last two decades are vulnerable to Spectre. Spectre is not as dangerous, but theoretically allows third parties to access confidential data. Both vulnerabilities are considered critical and must be patched out by all who care about server-side security.

Meltdown allows to bypass isolation between user apps and the kernel, which allows third-party software to access kernel memory and confidential data it contains. All Intel CPUs from 1995 (except for some low-end Atoms from pre-2013 era) and some ARM64 CPUs (Cortex-A15/A57/A72/A75) are vulnerable to Meltdown.

Spectre allows hackers to read and access files that are used by other processes. All Intel, AMD and ARM64 (Cortex-R7/R8, Cortex-A8/A9/A15/A17/A57/A72/A73/A75) CPUs are vulnerable to Spectre.

Take note, that an attack might be executed straight from the web-browser, for example via using a malicious JavaScript-code. Google Chrome dev team is already working on integrating the mitigation systems directly into their browser, while Mozilla has already released a patch that will make this attack a lot more difficult. Both browsers will provide more complete solutions by the end of the January 2017.

Both Spectre and Meltdown allow virtual container users access data from other containers and, sometimes, the host. It does not matter which containers you use: Docker, LXC, OpenVZ etc. Unihost has already mitigated Meltdown and Spectre on our hosting and VPS servers, but we cannot do this on the dedicated servers of our clients.

Most OS has already released patches to mitigate Meltdown. Windows has deployed in on emergency Patch Tuesday, while Linus Torwalds rushed the new version of Linux kernel to completion. Currently it’s up to distributives to update to a new kernel. RHEL, CentOS, Fedora and Ubuntu have already released updates, while Debian is still in progress. You can check whether or not there are patches for your OS in the table below. We highly recommend that you update your OS or upgrade to a distributive that has means to mitigate Meltdown, otherwise we will not be able to guarantee your safety.

 
OS

Spectre – Variant 1

***

Bounds Check Bypass

(CVE-2017-5753)

Spectre – Variant 2

***

Branch Target Injection

(CVE-2017-5715)

Meltdown

***

Rogue Data Cache Load

(CVE-2017-5754)

Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
VMware vSphere 4.0/4.1/5.0/5.1
VMware vSphere 5.5
VMware vSphere 6.0/6.5
Linux Debian Wheezy
Linux Debian Jessie
Linux Debian Stretch
Linux Debian Buster
Linux Debian Sid
Linux Red Hat Enterprise Linux 7
Linux Red Hat Enterprise Linux 6
Linux Red Hat Enterprise Linux 5
Linux Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
Linux Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
Linux Red Hat OpenStack Platform v 8/9/10/11/12
Linux CentOS 6

WAIT

Linux CentOS 7

WAIT

Linux Fedora 26

WAIT

WAIT

DONE

Linux Fedora 27

WAIT

WAIT

DONE

Linux SUSE OpenStack Cloud 6
Linux SUSE Linux Enterprise Server 11 SP3-LTSS
Linux SUSE Linux Enterprise Server 11 SP4
Linux SUSE Container as a Service Platform ALL
Linux Gentoo
Linux Slackware 14

WAIT

WAIT

WAIT
Solaris SmartOS
Linux CloudLinux 6
Linux CloudLinux 7
Linux Ubuntu
Linux OpenSuse Linux based upon SUSE 12/11
Linux Archlinux
Linux OpenVZ
Linux Proxmox 3.x

WAIT

WAIT

WAIT

Linux Proxmox 4.X
Linux Proxmox 5.X
Linux CoreOS Container Linux (channels Stable/Beta/Alpha)
BSD DragonFlyBSD

 WAIT

 WAIT

BSD  FreeBSD
BSD  OpenBSD

 WAIT

 WAIT

 WAIT

BSD  NetBSD

 WAIT

 WAIT

 WAIT