SiteHost
Back to Blog

Meltdown: How to Protect Your Linux Server

/ Technical
Meltdown is a serious vulnerability that has recently been disclosed. This article outlines how to make sure your Linux server is safe.
Linux pengiun.

Meltdown and Spectre encompass three different but related vulnerabilities and are listed under CVE-2017-5715CVE-2017-5753 and CVE-2017-5754. So far, only patches for CVE-2017-5754 are available, so this document will cover those patches. It is worth noting that our underlying architecture protects your virtual servers against much of the vulnerability, but we still highly recommend patching your servers to keep your data safe.

Depending on the exact operating system your VPS is running you will have to make sure an up to date kernel version is installed and running. Generally you should be able to log into your VPS and be able to run the following command with root privileges:

root@hostname:~# uname -a
Linux hostname 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

The output of this command depends on the operating system you are running and the current patch state of your VPS.

Please refer to the following table for more information about which kernel version is regarded as patched for the CVE on which OS:

Operating System

Patched Linux Kernel version

Notes

CentOS 6.6

unstable

Don't update to the latest version just yet:
https://bugs.centos.org/view.php?id=14336
https://solusvm.com/blog/information-meltdown-spectre-vulnerabilities/

CentOS 7

4.9.75

https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html

Debian

https://security-tracker.debian.org/tracker/CVE-2017-5754

Debian Jessie

3.16.51-3+deb8u1

https://security-tracker.debian.org/tracker/DSA-4082-1

Debian Stretch

4.9.65-3+deb9u2

https://security-tracker.debian.org/tracker/DSA-4078-1

Debian Wheezy

3.2.96-3

https://security-tracker.debian.org/tracker/DLA-1232-1

Ubuntu

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Ubuntu Precise

3.2.0.132

https://usn.ubuntu.com/usn/usn-3525-1/
Only available through the Ubuntu Advantage program as the OS is EOL (End of Life)

Ubuntu Trusty

3.13.0.139

https://usn.ubuntu.com/usn/usn-3524-1/

Ubuntu Xenial

4.4.0.10

https://usn.ubuntu.com/usn/usn-3522-3/

Once you have installed the new package version using your package manager make sure to double check which version is installed.

In order to output all installed package versions on Debian and Ubuntu use the following command:

root@hostname:~# dpkg -l

On CentOS VPSs use:

root@hostname:~# yum list installed

Once you have rebooted make sure that your machine is now running the correct kernel, like the following example of a Ubuntu Xenial server:

root@hostname:~# uname -a
Linux hostname 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

If your kernel is not showing the latest version, make sure the file '/boot/grub/menu.lst' has been updated and the boot entry is pointing to the correct files.

On the example system this would be looking like this:

title        Ubuntu 16.04.3 LTS, kernel 4.4.0-109-generic
root        (hd1)
kernel        /boot/vmlinuz-4.4.0-109-generic root=/dev/xvda2 ro console=tty1 
initrd        /boot/initrd.img-4.4.0-109-generic