Meltdown: How to Protect Your Linux Server

Meltdown is a serious vulnerability that has recently been disclosed. This article outlines how to make sure your Linux server is safe.

Meltdown and Spectre encompass three different but related vulnerabilities and are listed under CVE-2017-5715CVE-2017-5753 and CVE-2017-5754. So far, only patches for CVE-2017-5754 are available, so this document will cover those patches. It is worth noting that our underlying architecture protects your virtual servers against much of the vulnerability, but we still highly recommend patching your servers to keep your data safe.

Depending on the exact operating system your VPS is running you will have to make sure an up to date kernel version is installed and running. Generally you should be able to log into your VPS and be able to run the following command with root privileges:

root@hostname:~# uname -a
Linux hostname 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

The output of this command depends on the operating system you are running and the current patch state of your VPS.
Please refer to the following table for more information about which kernel version is regarded as patched for the CVE on which OS:

Operating SystemPatched Linux Kernel versionNotes
CentOS 6.6unstableDon't update to the latest version just yet:
https://bugs.centos.org/view.php?id=14336
https://solusvm.com/blog/information-meltdown-spectre-vulnerabilities/
CentOS 74.9.75https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html
Debian https://security-tracker.debian.org/tracker/CVE-2017-5754
Debian Jessie3.16.51-3+deb8u1https://security-tracker.debian.org/tracker/DSA-4082-1
Debian Stretch4.9.65-3+deb9u2https://security-tracker.debian.org/tracker/DSA-4078-1
Debian Wheezy3.2.96-3https://security-tracker.debian.org/tracker/DLA-1232-1
Ubuntu https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
Ubuntu Precise3.2.0.132https://usn.ubuntu.com/usn/usn-3525-1/
Only available through the Ubuntu Advantage program as the OS is EOL (End of Life)
Ubuntu Trusty3.13.0.139https://usn.ubuntu.com/usn/usn-3524-1/
Ubuntu Xenial4.4.0.10https://usn.ubuntu.com/usn/usn-3522-3/

Once you have installed the new package version using your package manager make sure to double check which version is installed.

In order to output all installed package versions on Debian and Ubuntu use the following command:

root@hostname:~# dpkg -l

On CentOS VPSs use:

root@hostname:~# yum list installed

Once you have rebooted make sure that your machine is now running the correct kernel, like the following example of a Ubuntu Xenial server:

root@hostname:~# uname -a
Linux hostname 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

If your kernel is not showing the latest version, make sure the file '/boot/grub/menu.lst' has been updated and the boot entry is pointing to the correct files.

On the example system this would be looking like this:

title        Ubuntu 16.04.3 LTS, kernel 4.4.0-109-generic
root        (hd1)
kernel        /boot/vmlinuz-4.4.0-109-generic root=/dev/xvda2 ro console=tty1 
initrd        /boot/initrd.img-4.4.0-109-generic