Pivotal Knowledge Base

Follow

Mitigation for Spectre and Meltdown in Pivotal Cloud Foundry (for CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754)

Environment

Pivotal Cloud Foundry (PCF) 1.8, 1.9, 1.10, 1.11, 1.12, 2.0*

*Older versions may be affected, but Pivotal is not patching releases prior to 1.8 as they are End of Life.

Symptom

This article provides instructions for mitigating issues identified in CVE-2017-5754, CVE-2017-5715, and CVE-2017-5753 that are also known as Meltdown and Spectre.

Performance Impacts for Cloud Foundry Apps and Services are included in this article.

From https://meltdownattack.com:

"Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages, and even business-critical documents."

Because Meltdown and Spectre affect the hardware which is running on your infrastructure, anything running on the top of that hardware, including Pivotal Cloud Foundry can be affected by these vulnerabilities.

While there are currently no known attacks using Meltdown or Spectre to target Pivotal Cloud Foundry it is theoretically possible for an attacker to use Meltdown and Spectre, possibly in conjunction with other attack vectors, to gain access to unauthorized information from applications running on PCF, gain elevated privileges and possibly elevated access to the platform itself.

When someone takes an advantage of Meltdown or Spectre, the attacker needs to be able to execute code on the target machine. Given that the purpose of Pivotal Cloud Foundry is to run user's applications, this provides an obvious way for an attacker to execute code on your platform. In short, if someone has the ability to `cf push` an application to the platform, they theoretically have enough access to attempt an attack using Meltdown or Spectre.

There are likely other, less direct channels of attack which you may want to consider as well. For example, if an attacker is able to remotely execute code through an application running on PCF, perhaps through some other exploit, this could provide all the access the attacker needs to take advantage of Meltdown or Spectre to further escalate access to your environment.

Fixes for these issues are being developed by the OS Vendors with which Pivotal partners, Microsoft and Canonical. We expect additional patches from the OS Vendors to address Spectre and we will provide them to our customers as they are made available by the OS Vendors.

Pivotal recommends that all customers apply the resolution detailed in this knowledge base article to protect their platforms against Meltdown and Spectre.

For additional information regarding the above CVEs, see Pivotal security bulletin for Meltdown and Spectre Attacks.

Resolution

Mitigtation for Meltdown and Spectre vulnerabilities in Pivotal Cloud Foundry requires two major operations :

a) Updating stemcells 

b) Upgrading Ops Manager

 

a) Updating stemcells for all Tiles

Step 1: From the Ops Manager UI,  upgrade to the latest maintenance releases for all installed PCF Tiles.

Step 2: Upgrade to corresponding updated stemcell versions. Please review the “Notes” section below for additional guidance.

For Linux, the following stemcell versions are available on Pivotal Network for mitigating Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753. CVE-2017-5715) vulnerabilities:

3468.21/3445.24/3421.38/3363.48/3312.51

Refer to the table below for the latest minor releases for tiles released by Pivotal that support the above stemcells.

 Product Tile Version Stemcell    Product Tile Version Stemcell
 Pivotal Application   Service 2.0.1 3468.21    Redis 1.10.1 3445.24
  1.12.10 3445.24     1.9.5 3445.24
  1.11.22 3445.24     1.8.7 3445.24
  1.10.37 3445.24     1.7.8 3445.24
  1.9.47 3445.24        
  1.8.63 3445.24    Pivotal AppDynamics APM 1.4.2  3363.48
 Spring Cloud Services 1.5.0 3445.24     1.3.8 3363.48
  1.4.7 3445.24     1.2.11 3363.48
  1.2.22 3445.24     1.1.7 3363.48
  1.1.26 3445.24        
  1.0.37 3445.24        
 RabbitMQ 1.11.3 3445.24    Azure Service Broker 1.5.2 3445.24
  1.10.9 3445.24     1.4.0 3421.38
  1.9.13 3421.38     1.3.0 3421.38
  1.8.27 3421.38     1.2.3 3363.48
  1.7.36 3363.48    Amazon Web Services 1.4.5 3445.24
 MySQL v2 2.1.1 3445.24     1.3.0 3312.51
  2.0.7 3445.24     1.2.0 3312.51
 MySQL v1 1.10.8 3445.24     1.1.0 3312.51
  1.9.15 3421.38    Google Cloud Platform Service Broker 3.6.0 3468.17
  1.8.11 3312.51     3.5.2 3445.24
  1.7.32 3312.51        
 Single Sign-On 1.5.3 3445.24    Isolation Segment 2.0.1 3468.17
  1.4.6 3445.24     1.12.10 3445.24
  1.3.6 3445.24     1.11.20 3445.24
  1.2.4 3363.48    Pivotal Metrics 1.9.5 3445.24
  1.1.4 3363.48     1.8.24 3363.48
  1.0.26 3312.50    Push Notifications 1.9.3 3363.48

Windows

For Windows, Windows 2012R2 light stemcell version 1200.13 is available for Google Cloud Platform (GCP), Amazon Web Services (AWS) and Azure are available on Pivotal Network. This stemcell update mitigates Meltdown (CVE-2017-5754) and Spectre variant 1 (CVE-2017-5753) and Spectre variant 2 (CVE-2017-5715) vulnerabilities as per Microsoft's guidance here. Please note that while the stemcell contains the OS patch for CVE-2017-5715, there isn’t a hardware patch available to protect against the vulnerability.

vSphere

For vSphere, follow updated instructions for creating Windows Stemcell that has the security fixes for Meltdown and Spectre.

Notes:

  • As is indicated in step #1, it’s critical that you are on the latest maintenance release version for every installed tile. This will ensure that your tiles support the feature known as “floating stemcells”. This is required so that the patched stemcell provided in step #2 above is picked up and deployed by all of the tiles. If a tile does not support “floating stemcells”, like older versions of many tiles, the RabbitMQ tile (see next bullets) and Ops Manager itself (see next bullets), then the patched stemcell will not be deployed for that tile. For example, if you are running the MySQL tile version 1.7.23, you would need to upgrade to version 1.7.32 as this version supports floating stemcells. Similarly, Spring Cloud Services version 1.2.7 would need to be upgraded to version 1.2.21 as this version has support for floating stemcells.
  • No versions of the RabbitMQ tile for PCF utilize the floating stemcell feature. Operators will need to upgrade to the fixed version of the tile as well as an upgrade to the corresponding stemcell required by that version of the tile. These versions are 1.7.36, 1.8.27, 1.9.13, 1.10.9 and 1.11.3.

 

b) Upgrading Ops Manager

The following versions for Ops Manager are available on Pivotal Network for mitigating Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753. CVE-2017-5715) vulnerabilities:

ops man stemcell
2.0.5 3468.21
1.12.12 3445.24
1.11.21 3421.38
1.10.24 3363.48
1.9.27 3363.48

 

Step 1: Download the corresponding ops manager file from Pivotal Network

Step 2: Follow Ops Manager upgrade procedure as per the procedure for your particular version of Pivotal Cloud Foundry. For eg, for PCF 2.0, follow the link here : https://docs.pivotal.io/pivotalcf/2-0/customizing/upgrading-pcf.html

Note : If you are on PCF 1.8, 1.9 and 1.10 please contact Pivotal Support for downloading the latest Ops Manager images.

 

Impact

IMPORTANT: Based on Pivotal Engineering’s initial findings from the performance testing on various infrastructures, there will be a performance impact. 

Please refer to the following KB article for our guidance on the performance impact :

Performance Impact of Cloud Foundry Apps and Services because of Spectre and Meltdown

Note that the above KB will be continually updated as additional information is available with the peformance test results.

References

Stemcell Release Notes :
https://docs.pivotal.io/pivotalcf/2-0/stemcells/

Cloud Foundry Security Advisory:
https://www.cloudfoundry.org/blog/meltdown-spectre-attacks/

Ubuntu Security Advisory:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Meltdown (CVE-2017-5754) :
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html
https://usn.ubuntu.com/usn/usn-3523-2/
https://usn.ubuntu.com/usn/usn-3522-2/

Spectre Variant 1 (CVE-2017-5753) :
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html

Spectre Variant 2 (CVE-2017-5715) :
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html
https://usn.ubuntu.com/usn/usn-3531-1/

Comments

Powered by Zendesk