If you happen to be a Linux kernel developer, then you may not be having the best week. The same might hold true if you are a Linux systems administrator. The common reasons for this are the recently announced security vulnerabilities known as Spectre and Meltdown.
If you're not familiar with what these two vulnerabilities are, they are specific attack vectors that go after a processor feature known as speculative execution.
It's a no-kidding, all-hands-on-deck kind of problem, too. Initial reports had this being an Intel-only issue, but it turns out to be a potential open door to nearly every modern processor architecture.
Critical Background Information
For those of you not up to speed about Meltdown and Spectre, my colleague Jon Masters has put together an excellent and accessible blog post that explains speculative execution and how this feature can be exploited. There's also a good video that lays out the problem succinctly. For those wondering how the fixes could potentially impact your systems' performance, Red Hat has put an article out about that, too.
Obviously, this is an issue that every Linux distribution must deal with in the coming days, and there's a good round-up of articles on LWN.net, as well as a very complete status report on the Linux kernel developers' progress in mitigating these issues from Greg Kroah-Hartman.
The Human Impact
It is not known what, if any, security, productivity, or monetary costs may arise from these vulnerabilities. So far, it is estimated that any exploits that could advantage of these holes would be difficult to execute.
Already, the toll on people can be seen. In his status report, Kroah-Hartman concludes with this matter-of-fact statement:
"Right now, there are a lot of very overworked, grumpy, sleepless, and just generally pissed off kernel developers working as hard as they can to resolve these issues that they themselves did not cause at all. Please be considerate of their situation right now. They need all the love and support and free supply of their favorite beverage that we can provide them to ensure that we all end up with fixed systems as soon as possible."
What is also critical to note that this kind of crisis illustrates more than ever the importance of keeping systems patched. It is, sadly, a too-common occurrence in the free software ecosystem that using free-as-in-beer operating systems leads to a set-it-and-forget-it type of operation. Particularly with virtual machines, which are sometimes thought to be "safe" thanks to the hypervisor layer on which the VM is running.
Unfortunately, this "safety" is an illusion. These most recent vulnerabilities have been demonstrated to get past the hypervisor layer, so if a host system is exploited, any VM on that host could be illicitly accessed as well. And any system that's been set up and left alone is very much at risk because these fixes are so complex for current kernel versions, no one will have the time or energy to backport the fixes to earlier kernel versions. Once again, I will rely on Kroah-Hartman to outline the impact:
"If you rely on any other kernel tree other than 4.4, 4.9, or 4.14 right now, and you do not have a distribution supporting you, you are out of luck. The lack of patches to resolve the Meltdown problem is so minor compared to the hundreds of other known exploits and bugs that your kernel version currently contains. You need to worry about that more than anything else at this moment, and get your systems up to date first. "Also, go yell at the people who forced you to run an obsoleted and insecure kernel version, they are the ones that need to learn that doing so is a totally reckless act."
Running any production system on older software is not needed. The old "but that is all my app needs" reason flies out the window when dealing with the higher demands of security. Your business, your livelihood, and your piece of mind need admins at the top of their game. And patches up-to-date.
So whether its
dnf update yum update
or
apt-get update
get your systems up-to-date today. Open source software is amazing stuff, but it still needs proactive operators.
Image by Red Hat.
About the author
Brian Proffitt is Senior Manager, Community Outreach within Red Hat's Open Source Program Office, focusing on enablement, community metrics and foundation and trade organization relationships. Brian's experience with community management includes knowledge of community onboarding, community health and business alignment. Prior to joining Red Hat in 2013, he was a technology journalist with a focus on Linux and open source, and the author of 22 consumer technology books.
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit