On Aug. 14, 2018, information was released about another set of “speculative execution” issues with Intel microprocessor hardware known as “L1 Terminal Fault”. As with earlier issues like Spectre and Meltdown, this information was coordinated with the release of updated software solutions to help mitigate the issue.
At the time the embargo was lifted, the OpenShift SRE team worked to begin remediation (detailed below) on all OpenShift Online clusters. All Pro clusters finished remediation shortly before 18h00 EDT August 14, 2018. All Starter clusters were patched as of 23h30 EDT August 14, 2018.
The work done to remediate included applying the new kernel, disabling Hyper-Threading, and adjusting cluster parameters around CPU allocation and overcommit settings. These changes may have an impact on overall cluster performance, so we will closely monitor performance and scale up with additional compute nodes as needed.
OpenShift Dedicated customers have been notified separately regarding the remediation of their clusters.
For further information, please refer to:
- Vulnerability Article: https://access.redhat.com/security/vulnerabilities/L1TF
- Blog post explaining the vulnerability: https://www.redhat.com/en/blog/understanding-l1-terminal-fault-aka-foreshadow-what-you-need-know
- Video explaining the issue: https://www.youtube.com/watch?v=kBOsVt0iXE4
- Technical "briefing" video: https://www.redhat.com/en/blog/deeper-look-l1-terminal-fault-aka-foreshadow
Red Hat OpenShift SRE Security
关于作者
Dave Baker has been with Red Hat since 2017. He's currently working as a Design Architect in the Secure Engineering team within Product Security, and has spent the last years in various security related roles helping to protect Red Hat OpenShift Container Platform and many other products.
产品
工具
试用购买与出售
沟通
关于红帽
我们是世界领先的企业开源解决方案供应商,提供包括 Linux、云、容器和 Kubernetes。我们致力于提供经过安全强化的解决方案,从核心数据中心到网络边缘,让企业能够更轻松地跨平台和环境运营。