Your submission was sent successfully! Close

Jump to main content
  1. Blog
  2. Article

Dustin Kirkland
on 4 January 2018


 

 

Unfortunately, you’ve probably already read about one of the most widespread security issues in modern computing history — colloquially known as “Meltdown” (CVE-2017-5754) and “Spectre” (CVE-2017-5753 and CVE-2017-5715) — affecting practically every computer built in the last 10 years, running any operating system.  That includes Ubuntu.

I say “unfortunately”, in part because there was a coordinated release date of January 9, 2018, agreed upon by essentially every operating system, hardware, and cloud vendor in the world.  By design, operating system updates would be available at the same time as the public disclosure of the security vulnerability.  While it happens rarely, this an industry standard best practice, which has broken down in this case.

At its heart, this vulnerability is a CPU hardware architecture design issue.  But there are billions of affected hardware devices, and replacing CPUs is simply unreasonable.  As a result, operating system kernels — Windows, MacOS, Linux, and many others — are being patched to mitigate the critical security vulnerability.

Canonical engineers have been working on this since we were made aware under the embargoed disclosure (November 2017) and have worked through the Christmas and New Years holidays, testing and integrating an incredibly complex patch set into a broad set of Ubuntu kernels and CPU architectures.

Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible.  Updates will be available for:

  • Ubuntu 17.10 (Artful) — Linux 4.13 HWE
  • Ubuntu 16.04 LTS (Xenial) — Linux 4.4 (and 4.4 HWE)
  • Ubuntu 14.04 LTS (Trusty) — Linux 3.13
  • Ubuntu 12.04 ESM** (Precise) — Linux 3.2
    • Note that an Ubuntu Advantage license is required for the 12.04 ESM kernel update, as Ubuntu 12.04 LTS is past its end-of-life

Ubuntu 18.04 LTS (Bionic) will release in April of 2018, and will ship a 4.15 kernel, which includes the KPTI patchset as integrated upstream.

Ubuntu optimized kernels for the Amazon, Google, and Microsoft public clouds are also covered by these updates, as well as the rest of Canonical’s Certified Public Clouds including Oracle, OVH, Rackspace, IBM Cloud, Joyent, and Dimension Data.

These kernel fixes will not be Livepatch-able.  The source code changes required to address this problem is comprised of hundreds of independent patches, touching hundreds of files and thousands of lines of code.  The sheer complexity of this patchset is not compatible with the Linux kernel Livepatch mechanism.  An update and a reboot will be required to active this update.

Furthermore, you can expect Ubuntu security updates for a number of other related packages, including CPU microcode, GCC and QEMU in the coming days.

We don’t have a performance analysis to share at this time, but please do stay tuned here as we’ll followup with that as soon as possible.

Thanks,
@DustinKirkland
VP of Product
Canonical / Ubuntu

Related posts


hzmoyan
14 September 2023

Ubuntu AI Podcast: Episode 4

AI Article

The podcast Welcome to Ubuntu AI podcast! From fun experiments to enterprise projects, AI became the center of attention when it comes to innovation, digital transformation and optimisatation. Open source technologies democratised access to state of the art machine learning tools and opened doors for everyone ready to embark on their AI j ...


ijlal-loutfi
7 September 2023

TPM-backed Full Disk Encryption is coming to Ubuntu

Confidential computing Article

Discover Ubuntu’s latest security enhancement: TPM-backed Full Disk Encryption (FDE). This experimental feature in Ubuntu 23.10 offers improved data protection without the need for passphrases ...


Canonical
5 September 2023

도커(Doker) 컨테이너 보안: 우분투 프로(Ubuntu Pro)로 FIPS 지원 컨테이너 이해하기

FIPS Security

오늘날 급변하는 디지털 환경에서 강력한 도커 컨테이너 보안 조치의 중요성은 아무리 강조해도 지나치지 않습니다. 컨테이너화된 계층도 규정 준수 표준의 적용을 받기 때문에 보안 문제 및 규정 준수 요구 사항이 발생합니다. 도커 컨테이너 보안 조치는 경량의 어플라이언스 유형 컨테이너(각 캡슐화 코드 및 해당 종속성)를 위협 및 취약성으로부터 보호하는 것을 수반합니다. 민감한 개인 데이터를 처리하는 데 의존하는 ...