피드 구독

A new series of vulnerabilities in Intel processors, known as Microarchitectural Data Sampling, or more simply MDS, was recently made public and Red Hat released information about how the vulnerabilities affect our software and how to protect your organization.

In the simplest terms, MDS is a vulnerability in Intel processors similar to Spectre and Meltdown; it allows a guest to read protected memory from anywhere on the host or guest. To mitigate the risks exposed by MDS, a combination of updated microcode, updated kernel(s), patches, and administrator action will need to be taken for both the hypervisors and virtual machines in your Red Hat Virtualization deployment. Unlike some similar vulnerabilities, simply disabling SMT and/or hyper-threading is not enough to protect your applications.   

Protecting your applications

The Red Hat Virtualization team released updates for both 4.2 and 4.3, implementing code-based mitigations. For addressing MDS vulnerabilities when using versions 4.1 or earlier, disabling multithreading (SMT) using the server BIOS is the recommended method.

If you are using Red Hat Virtualization 4.2, please be aware it is considered part of the extended update services (EUS) channel since Red Hat Virtualization 4.3 became generally available (GA) on May 10, 2019. This means you will need to update the repositories to enable the EUS channel on the hosts before the newest updates are visible.

In addition to updating Red Hat Virtualization Manager to the latest version, there are several additional steps which may be taken for hosts and guests:

For hypervisor hosts:

  • Updated microcode and BIOS should be utilized. Red Hat Virtualization and RHEL include updates from Intel for microcode; you should also work with your hardware vendor to determine if you’re running the recommended microcode and BIOS.

  • Update the kernel to the latest available for your version of RHEL.

  • Apply the most recent Red Hat Virtualization Host and/or RHEL updates.

  • Disable multithreading using kernel boot parameters from the Red Hat Virtualization Manager interface.
    Disable multithreading using kernel boot parameters from the Red Hat Virtualization Manager interface

For virtual machines:

  • Use the “MDS” CPU type. After updating your Red Hat Virtualization deployment, apply the MDS mitigations, and update the cluster CPU type to “Intel XXX IBRS SSBD MDS Family” CPU type for your cluster. This will apply mitigations for Spectre, Meltdown, and MDS.

  • Update the kernel and other packages to the latest available and follow the recommendations from Red Hat and/or Microsoft for your guest operating system.

  • Disable guest hyperthreading. This can be done by setting the number of threads per core to one for the virtual machines. This is the default value.
    Disable guest hyperthreading. This can be done by setting the number of threads per core to one for the virtual machines.

 

The standard update and upgrade procedures should be used when applying the MDS mitigation updates. If you’re using the self-hosted Red Hat Virtualization manager, be sure to run engine-setup again afterward so that the cluster CPU options are updated.

Knowledge is power

MDS is only one of the latest major vulnerabilities which broadly affects many IT systems. Be sure to read Red Hat’s Vulnerability Response article documenting the issues. Also a very helpful explanation from Jon Masters about what MDS is, and how it is exploited to get data from hosts with a technical deep dive in this 17 minute video that provides a detailed look into MDS and similar vulnerabilities.


저자 소개

UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리