"Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible."
Right - for desktop use though, there are Firefox and Chrome updates with mitigation. JavaScript exploits were the most dangerous desktop scenario.
For servers running Ubuntu, what is the risk, as long as my services don't run arbitrary user uploaded executables? As far as I can tell it is that a different remote code execution exploit can now read the entire memory, possibly leaking secrets. Assuming we have a kernel update in the next few days, I would need to install it immediately and rotate passwords and keys. Should I revoke TLS certs? Is that paranoid?
I think it's naive to think you're completely protected just because code isn't supposed to ever run. It seems as though the simplest and safest piece of mind is to use some extra layers of protection ala SELinux.
This won't stop the memory from being accessed, but it has a better chance of stopping things that can exploit the bug(s) in the first place.
Revoking TLS certs is probably a little bit on the side of paranoia.
I think you're on the right track -- just watch for the kernel update, and rotate passwords plus keys if it's not a hassle.
dorfsmay|8 years ago
"Ubuntu users of the 64-bit x86 architecture (aka, amd64) can expect updated kernels by the original January 9, 2018 coordinated release date, and sooner if possible."
https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-th...
tyrust|8 years ago
singlow|8 years ago
For servers running Ubuntu, what is the risk, as long as my services don't run arbitrary user uploaded executables? As far as I can tell it is that a different remote code execution exploit can now read the entire memory, possibly leaking secrets. Assuming we have a kernel update in the next few days, I would need to install it immediately and rotate passwords and keys. Should I revoke TLS certs? Is that paranoid?
chucky_z|8 years ago
This won't stop the memory from being accessed, but it has a better chance of stopping things that can exploit the bug(s) in the first place.
Revoking TLS certs is probably a little bit on the side of paranoia.
I think you're on the right track -- just watch for the kernel update, and rotate passwords plus keys if it's not a hassle.
pas|8 years ago
wazoox|8 years ago
pas|8 years ago