一场史无前例的Intel CPU Vulnerability Alert（英特尔CPU漏洞警报）

大鸟不久前看到Intel CPU的漏洞，真是恐怖啊，谷歌团队确实厉害，你看这么恐怕的漏洞都被找到了！

Google旗下的Project Zero团队发现了英特尔CPU存在两大严重漏洞：Spectre（幽灵）和Meltdown（熔断）。漏洞是因为先天性的架构设计缺陷所导致，可以让非特权用户访问系统内存从而读取敏感信息。换句话说，黑客可以通过这两个漏洞窃取计算机内的全部内存内容。

紧接着业界人士发现，受影响的不仅仅是英特尔，还有AMD和ARM。由于这三者在处理器市场上有着非常高的份额，意味着无论是Windows、Linux、Mac系统还是移动端的Android，都存在潜在的安全威胁，其中以英特尔芯片受影响最为严重。

当然大鸟说的不是这些，大鸟用的最多的是vps，大鸟已经看到，linode、vultr、阿里云已经着手开始修复了。

第一：我们看看linode的修复通知

大鸟登录到linode后台看到了，linode给出的消息。

我看看看原文和翻译：

Critical Maintenance for CPU Vulnerabilities: Meltdown & Spectre

Maintenance is required for one or more of your Linodes. Your maintenance times will be listed under the "Maintenance Status" column.

Timezone: Asia/Shanghai (My Profile).

Please see status.linode.com for additional information.

CPU漏洞的重要维护：崩溃和幽灵

一个或多个Linode需要维护。您的维护时间将在“维护状态”栏中列出。

linode给我推送了一个很重要的通知，我们去看看。

全英文的通知，大鸟贴出来

Hello,

A number of serious security vulnerabilities affecting multiple CPU architectures were recently disclosed by Google's Project Zero team as outlined in our blog post[1]. In order to address the disclosed vulnerabilities, the physical hardware on which your Linode resides will need to undergo maintenance. This is the first of several separate maintenances that will be necessary to fully mitigate these vulnerabilities. This maintenance specifically patches the Meltdown vulnerability; the Spectre vulnerability will be addressed in a future maintenance cycle. We will inform you of these maintenance cycles via additional tickets.

Scheduled maintenance windows are listed within the Linode Manager[2] in the time zone that was configured in your user's My Profile[3]. The maintenance window of new Linodes and upgraded, migrated, or resized Linodes will be reflected in the Linode Manager[2], but you may not receive maintenance ticket updates for these changes.

The following Linode(s) have now been assigned a maintenance window in which a reboot will occur. Please note that these times can change as a result of the actions mentioned above. At this time your reboot schedule in UTC is as follows:

* 2018-01-15 7:30:00 PM UTC - linode5102565

You can prepare your Linode for this maintenance by following our Reboot Survival Guide. By following this guide before your maintenance, you will be able to ensure that services running on your Linode are resumed properly. The Reboot Survival Guide is available here:

https://www.linode.com/docs/uptime/reboot-survival-guide

These updates affect the underlying infrastructure that your Linode resides on and will not affect the data stored within your Linode. To further protect your Linode, we strongly recommend that you verify it is configured to boot using our latest kernel, which includes patches to help address these vulnerabilities. If your Linode's Configuration Profile is set to utilize our latest kernel, your kernel will automatically be updated upon rebooting.

During the maintenance window, your Linode will be cleanly shut down and will be unavailable while we perform the updates. A two-hour window is allocated, however the actual downtime should be much less. After the maintenance has concluded, each Linode will be returned to its last state (running or powered off).

We regret the short notice and the downtime required for this maintenance. However, due to the severity of these vulnerabilities, we have no choice but to take swift and immediate action to ensure the safety and security of our customers. For these reasons, we must adhere to a strict timetable, and will not be able to reschedule or defer this maintenance.

If you experience any issues following the maintenance, please feel free to reach out to us and we will be happy to assist.

--Linode

翻译：

您好，

Google的Project Zero团队最近披露了一些影响多CPU架构的严重安全漏洞，如我们的博客文章[1]所述。为了解决所披露的漏洞，您的Linode所在的物理硬件将需要进行维护。这是完全缓解这些漏洞所必需的几个独立维护工作中的第一个。此维护专门修补了崩溃漏洞; 在未来的维护周期中，将会解决Specter漏洞。我们会通过额外的门票通知您这些维修周期。

计划维护窗口在用户的“我的配置文件”[3]中配置的时区中的Linode管理器[2]中列出。新Linode的维护窗口以及升级，迁移或调整大小的Linode将反映在Linode管理器[2]中，但您可能不会收到这些更改的维护工单更新。

现在已经为以下Linode分配了一个维护窗口，在该窗口中将会重新启动。请注意，由于上述行为，这些时间可能会改变。在这个时候你的UTC重启进度表如下：

* 2018-01-15 7:30:00 PM UTC - linode5102565

您可以按照我们的重新启动生存指南来准备您的Linode进行维护。在维护之前遵循本指南，您将能够确保在您的Linode上运行的服务能够正常恢复。“重新启动生存指南”位于以下位置：

https : //www.linode.com/docs/uptime/reboot-survival-guide

这些更新会影响您的Linode所驻留的基础架构，并且不会影响存储在您的Linode中的数据。为了进一步保护您的Linode，我们强烈建议您验证它是否配置为使用我们最新的内核进行引导，该内核包含可帮助解决这些漏洞的修补程序。如果你的Linode的配置文件被设置为使用我们最新的内核，你的内核将在重新启动后自动更新。

在维护期间，您的Linode将被彻底关闭，并在执行更新时不可用。分配一个两小时的窗口，但实际的停机时间应该少得多。维护结束后，每个Linode将返回到最后一个状态（运行或关闭）。

我们感到遗憾的是，这次维护所需的时间短暂和停机。但是，由于这些漏洞的严重性，我们别无选择，只能立即采取行动，确保客户的安全。由于这些原因，我们必须坚持严格的时间表，不能重新安排或延期维修。

如果您在维护之后遇到任何问题，请随时与我们联系，我们将很乐意提供帮助。

看的出来，linode还是第一时间开始了修复漏洞。我linode的技术团队点赞。

第二：我们看看vultr的通知

因为大鸟没有在vultr开机器，所以没有看到推送，只是在界面的最下面看到了一行通知！

大鸟点进去看了下，发现有一个新闻的通知

 

Intel CPU Vulnerability Alert原文：

• Jan 03, 2018

As you may already be aware, a critical security flaw affecting Intel CPUs has been gaining traction in security research circles over the past several days.

While the full details of the security issue are still restricted and there have been no official statements from Intel, our security team has been actively reviewing available information and planning for the necessary next steps. Our engineers have also been testing available kernel patches to ensure necessary upgrades proceed smoothly.

Current facts outline a vulnerability that likely affects a wide range of Intel processors. The patch to mitigate this issue will also likely require a one-time reboot of your instances. Once our team begins scheduling reboots, you will receive advance e-mail notification for any affected instances with a scheduled date and time. While reboots may cause a few minutes of downtime during the restart window, this will be a necessary step to ensure that your compute environment remains secure.

Note: This is an actively developing story and more details will become available in the coming days. Our team is actively monitoring this issue and we will update this article with any developments that directly impact your Vultr.com infrastructure.

Article Updates

- Intel has released a statement on the issue. A link can be found in the additional resources section below. Additionally, we are working closely with our Northeast Intel Representatives to gather additional information and resources directly from their Cloud Service Provider (CSP) team.

- The details of the security vulnerabilities have been disclosed early in CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754. Our engineers have already applied updates to our infrastructure to ensure the security of our platform. The original date of the coordinated disclosure was scheduled for January 9th and information from hardware manufacturers is still currently incomplete. We are continuing to closely monitor the issue and will provide additional updates as necessary.