Ubuntu – Ubuntu’s status on the Meltdown and Spectre vulnerabilities

Security

Any questions relating to status updates, or asking if anything is going to be patched for these vulnerabilities should be closed as duplicates of this question.

Meltdown and Spectre are in the news right now and sound pretty severe. I don't see any security updates from Ubuntu that cover these vulnerabilities.

What is Ubuntu doing about these vulnerabilities, and what should Ubuntu users be doing?

These are CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754.

Best Answer

  • It was discovered that a new class of side channel attacks impact most processors, including processors from Intel, AMD, and ARM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.

    To address the issue, updates to the Ubuntu kernel and processor microcode are needed. Updates are announced in Ubuntu Security Notices. Meltdown/Spectre related updates have now been announced, covering updates to the kernel and to some userspace software.

    The following updates have been released:

    • Ubuntu kernel updates are available in USN 3522-1 (for Ubuntu 16.04 LTS), USN 3523-1 (for Ubuntu 17.10), USN 3522-2 (for Ubuntu 14.04 LTS (HWE)), and USN-3524-1 (for Ubuntu 14.04 LTS).
    • Further kernel updates (which include mitigations for both Spectre variants and additional mitigations for Meltdown) were made available on January 22 2018 in USN-3541-2 (for Ubuntu 16.04 LTS (HWE)), USN-3540-1 (for Ubuntu 16.04 LTS), USN-3541-1 (for Ubuntu 17.10), USN-3540-2 (for Ubuntu 14.04 LTS (HWE)), USN-3542-1 (for Ubuntu 14.04 LTS), USN-3542-2 (for Ubuntu 12.04 LTS (HWE)).
    • USN-3516-1 provides Firefox updates.
    • USN-3521-1 provides NVIDIA driver updates.
    • USN-3531-1 provides Intel microcode updates. Due to regressions, the microcode updates have been reverted for now (USN-3531-2).

    Users should immediately install the updates as they are released in the normal way. A reboot is required for the kernel and microcode updates to take effect.

    Users can verify the kernel page table isolation patches are active after the reboot.

    Updates for Ubuntu 17.04 (Zesty Zapus) will not be provided as it reached end-of-life on January 13 2018.

    In advance of security updates being released, Dustin Kirkland had provided some more details of what updates to expect in a blog post, including mention of kernel updates as well as CPU microcode, gcc and qemu updates.

    Kiko Reis from Canonical wrote an accessible description of the impact of these vulnerabilities and their mitigations for Ubuntu users on 24 January 2018.

    The Ubuntu Security Team is maintaining their current status on these issues and an official technical FAQ that goes into detail about the specific individual vulnerability variants and their migitations under different use cases.

    Note that Linux mainline and stable release updates from v4.15 (28th January 2018) and onwards include the appropriate fixes and Ubuntu kernels are based on those. As such, any versions of Ubuntu using Linux Kernel versions 4.15.0 and up are patched (including 18.04 and 18.10).