Container Linux patched to address Meltdown vulnerability

• By Benjamin Gilbert

New releases of Container Linux addressing the Meltdown attack, caused by vulnerabilities in many modern processors, are now available in all three Container Linux release channels: Alpha 1649.0.0, Beta 1632.1.0, and Stable 1576.5.0. Updates are rolling out to the Alpha and Beta channels now, and should complete over the next 24-48 hours. By default, Container Linux will apply these updates automatically, but systems with non-default configurations should be manually updated as soon as possible.

On the Stable channel, the new release is available now for manually-triggered updates and will begin rolling out automatically on Monday, January 8. Due to the substantial kernel changes required to mitigate this vulnerability, Container Linux Stable 1576.5.0 upgrades the Linux kernel to a newer minor release, from Linux 4.13.16 to 4.14.11. Users who are concerned about the impact of this update may wish to manually update and test their systems before the automatic rollout begins on January 8.

Because of the nature of the mitigation required against the Meltdown attack, these updates will reduce performance for some workloads. The magnitude of the performance impact will vary depending on the specifics of the workload. We encourage users to monitor the performance of critical workloads after the update is applied.

Updating Tectonic Clusters

Tectonic clusters will automatically perform rolling updates of their stable Container Linux nodes beginning on Monday, January 8. This process should not cause cluster downtime for multi-master clusters. To update before Monday, follow the Container Linux manual update instructions on each machine, and the cluster will coordinate the machine reboots. On clusters which have previously paused Container Linux updates, updates should be unpaused to ensure nodes receive the fix on Monday.

Meltdown Overview

The Meltdown attack (CVE-2017-5754) affects many computing devices using modern processors. The vulnerability can be exploited to read operating system memory, which can then be leveraged to gain additional privileges. The related Spectre attack (CVE-2017-5753, CVE-2017-5715) affects nearly all modern computing devices and allows reading memory of the operating system or of other processes. The open source community is working on mitigations for Spectre, and these will be included in Container Linux as they become available. A detailed, Linux focused explanation of both attacks is available at LWN.net, and the Meltdown and Spectre website provides further references.

CoreOS extends its gratitude to all of the open source developers, in a wide range of community projects, who are devoting enormous effort to mitigating these vulnerabilities. We specifically thank Thomas Gleixner, Greg Kroah-Hartman, Andy Lutomirski, and Ingo Molnar for their work diagnosing and fixing boot-time crashes caused by the interaction of the Meltdown fix and Kernel Address Space Layout Randomization.

If you have any questions or concerns, please contact us via our community mailing list or IRC channel or on Twitter @CoreOSsecurity.