Will Ubuntu get patched against Meltdown and Spectre? [duplicate]

It was discovered that a new class of side channel attacks impact most processors, including processors from Intel, AMD, and ARM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.

To address the issue, updates to the Ubuntu kernel and processor microcode are needed. Updates are announced in Ubuntu Security Notices. Meltdown/Spectre related updates have now been announced, covering updates to the kernel and to some userspace software.

The following updates have been released:

  • Ubuntu kernel updates are available in USN 3522-1 (for Ubuntu 16.04 LTS), USN 3523-1 (for Ubuntu 17.10), USN 3522-2 (for Ubuntu 14.04 LTS (HWE)), and USN-3524-1 (for Ubuntu 14.04 LTS).
  • Further kernel updates (which include mitigations for both Spectre variants and additional mitigations for Meltdown) were made available on January 22 2018 in USN-3541-2 (for Ubuntu 16.04 LTS (HWE)), USN-3540-1 (for Ubuntu 16.04 LTS), USN-3541-1 (for Ubuntu 17.10), USN-3540-2 (for Ubuntu 14.04 LTS (HWE)), USN-3542-1 (for Ubuntu 14.04 LTS), USN-3542-2 (for Ubuntu 12.04 LTS (HWE)).
  • USN-3516-1 provides Firefox updates.
  • USN-3521-1 provides NVIDIA driver updates.
  • USN-3531-1 provides Intel microcode updates. Due to regressions, the microcode updates have been reverted for now (USN-3531-2).

Users should immediately install the updates as they are released in the normal way. A reboot is required for the kernel and microcode updates to take effect.

Users can verify the kernel page table isolation patches are active after the reboot.

Updates for Ubuntu 17.04 (Zesty Zapus) will not be provided as it reached end-of-life on January 13 2018.

In advance of security updates being released, Dustin Kirkland had provided some more details of what updates to expect in a blog post, including mention of kernel updates as well as CPU microcode, gcc and qemu updates.

Kiko Reis from Canonical wrote an accessible description of the impact of these vulnerabilities and their mitigations for Ubuntu users on 24 January 2018.

The Ubuntu Security Team is maintaining their current status on these issues and an official technical FAQ that goes into detail about the specific individual vulnerability variants and their migitations under different use cases.

Note that Linux mainline and stable release updates from v4.15 (28th January 2018) and onwards include the appropriate fixes and Ubuntu kernels are based on those. As such, any versions of Ubuntu using Linux Kernel versions 4.15.0 and up are patched (including 18.04 and 18.10).


There's specific things to keep in mind here, and this is picked up from some of the analysis and security mailing lists I'm on that go beyond just Ubuntu:

  1. The Meltdown attack is able to be patched at a kernel level. This will help to protect against the Meltdown set of vulnerabilities.

  2. The Spectre attack vector is much harder to protect against, but is also much harder for the bad guys to exploit. While there are software patches for known attack vectors, such as an LLVM attack vector which can be patched, the core problem is that to really fix Spectre you have to alter how CPU hardware works and behaves. This makes it much MUCH harder to protect against, because only known attack vectors can really be patched. Every piece of software needs individual hardening for this issue, though, which means that it's one of those "one patch does not fix all" kind of deals.

Now, for the big questions:

  • Will Ubuntu be patching for the Meltdown and Spectre Vulnerabilities?
    • The answer is yes, but it's tricky to do, the patches trickle into the Kernel but the Kernel and Security teams do testing as they go and likely are going to see unexpected regressions along the way they'll have to patch to fix unexpected issues. The Security and Kernel teams are working on this though.
  • When will fixes be available?

    • I'll give you the same answer I got from the Kernel team: "When we're confident the patches work and that we don't break anything else majorly along the way."

      Now, a big thing to consider: There was a targeted date for a public disclosure of January 9th, that was supposed to coincide with a release of fixes. However, disclosure happened on the 3rd of January, instead. The kernel team and Security Team are still targeting the January 9th date, however this is not a firm deadline, and there could be delays if anything major to the kernels breaks in the process

  • Is there someplace I should be looking for more updates on Meltdown and Spectre?

    • Yes, actually. The Ubuntu Security team has a knowledge base article on Spectre and Meltdown, and that is where you'll notice some status reports about the timeline for fixes being released and what not.

      You should also watch the Ubuntu Security Team's Security Notifications site, and keep an eye out for the announcement of fixes being made available to the kernels.


Other relevant links you should keep an eye on:

  • Meltdown and Spectre - Information Site
  • Ubuntu Security Team Knowledge Base - Spectre and Meltdown
  • Ubuntu CVE Tracker - Meltdown - CVE-2017-5754
  • Ubuntu CVE Tracker - Spectre - 1 of 2 - CVE-2017-5715
  • Ubuntu CVE Tracker - Spectre - 2 of 2 - CVE-2017-5753