The current press coverage regarding the non-functioning of the patches has not proven entirely founded on the Open Telekom Cloud. The micro-codes released by Intel were successfully imported on January 11 following several days of intensive tests. The updates for V3/V5 processors are running stably in the availability zones in Europe and Singapore. Ongoing tests and platform reports are not showing any faults. The daily system checks are normal. From the perspective of the Open Telekom Cloud team, the security flaws involving these processors have thus been resolved. There will be no rollback.
“We did not find the decision for or against a rollback easy,” Kurt Garloff explains. “We prefer to take the minimal risk of a host crash than accept the security risks to our customers created by errors in the CPU design – customer security first”.
In addition, the performance losses due to the security update are minor. However, we must also point out that the micro-code updates from Intel are not yet complete. There are still no usable security updates available for the V4 processors. These patches have been tested on the Open Telekom Cloud. They resulted in system instability and will therefore not be used on the Open Telekom Cloud. It seems that Intel currently still has issues with delivering micro-code updates that run error-free in all scenarios. Intel even recalled a number of its updates on January 22.
However, Intel has indicated that it now understands the reboot problem. In the short term, updates should be available to close the security gaps with the exception of Spectre-2 scenarios. In the medium term, the Spectre-2 vulnerability should also be eliminated. “As soon as the patches are available, we will start our tests.”
Open Telekom Cloud working to fix processor security flaw
The recently uncovered security flaws in an entire generation of computer processors caught the IT sector completely by surprise. No matter if it’s a mobile device, desktop PC, or cloud server: Nearly every computer relying on a standard CPUs is affected. Frequently called an Intel processor problem by the media, other mainstream chipmakers are contending with the same underlying flaw. Now both manufacturers and service providers are scrambling to fix the security issue as quickly as possible.
Of course, Deutsche Telekom is also on the case. The Bonn-based provider of IT resources on demand is known for offering companies a certified and extremely secure level of service. Soon after the chip flaw was made public on January 4, Intel provided microcode updates and the IT community came up with workarounds for hypervisors and operating system kernels. Deutsche Telekom has already started installing these in the Open Telekom Cloud to ensure all processes, containers and virtual machines are once again completely protected.
What exactly is the problem?
A previously unknown flaw in nearly all modern CPUs expose computers to attacks by compromising the privileged memory and exploiting how processes are run in parallel. This circumvents the system’s security protocols, which, in turn, allows process, container and even virtualization limits to be defeated.
The servers used by the Open Telekom Cloud have Intel CPUs affected by the flaw – just like the servers of nearly all other cloud providers. So Deutsche Telekom has started installing microcode updates, as well kernel and hypervisor workarounds for the Open Telekom Cloud. This will ensure the infrastructure’s normal high level of security. These changes will require rebooting of the infrastructure that could impact the virtual machines of users.
Solutions for Open Telekom Cloud users
Initial patches have already been installed in the Open Telekom Cloud; mass implementation in the coming days is presently being planned. Installation requires the machines to restart, which will also reboot the virtual machines of customers. There will be appropriate warnings before this occurs.
The operating system kernels controlled by users will also require workarounds. Initial kernel updates are already available; new images for use with the Open Telekom Cloud are currently being prepared. Alternatively, users can also install the online updates from the hardware manufacturers before restarting their virtual machines. Until all the patches are ready and have been installed, there are few things users can do to minimize risks:
- By using dedicated hosts, no other Open Telekom Cloud customer has access to the environments of others. Potential attempts to exploit the hypervisor can then only cause data leaks between virtual machines of the same customer.
- Deactivation of eBPF for non-privileged users of Linux. (This is the default in the updated images.)
All details and the current status of the situation can be found in this document that Deutsche Telekom expert Kurt Garloff is constantly updating.
At a glance: the benefits of Open Telekom Cloud
- Security: The data are hosted in highly secure Telekom computing centres in Germany.
- Scalability: Computing power and memory can be ordered and set up online and adapted flexibly at any time.
- Pricing models: We offer you flexible and fixed contractual periods as well as a combination of both models.
- No vendor lock-in: Open Telekom Cloud is based on OpenStack, a freely available open-source standard. You can change the provider at any time.
- Individual configuration: CPU, RAM, storage, network – you can put a package together for yourself that matches your requirements to the optimum degree.
- IaaS for all: Open Telekom Cloud is extremely flexible and therefore suitable for companies of every size.