Missing Linux Kernel Mitigations

Asked by Riki

We need assistance in resolving OpenVAS security scan findings related to Spectre/Meltdown vulnerabilities across both Ubuntu 16.04LTS/20.04LTS platforms on AWS. Both the systems were updated with the latest supported Kernel versions ( & 5.4.0-1021-aws), relevant Intel Microcode updates (3.20200609.0ubuntu0.20.04.2) and suggested mitigations on the Ubuntu Site. Please reference the findings below and suggest any mitigations that we may need to take to address them.

The Linux Kernel on the remote host is missing one or more mitigation(s) for hardware vulnerabilities as reported by the sysfs interface:

sysfs file (Related CVE(s)) | Kernel status
/sys/devices/system/cpu/vulnerabilities/itlb_multihit (CVE-2018-12207) | KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/mds (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091) | Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass (CVE-2018-3639) | Vulnerable

Notes on specific Kernel status output:
- sysfs file missing: The sysfs interface is available but the sysfs file for this specific vulnerability is missing. This means the kernel doesn't know this vulnerability yet and is not providing any mitigation which means the target system is vulnerable.
- Strings including "Mitigation:", "Not affected" or "Vulnerable" are reported directly by the Linux Kernel.
- All other strings are responses to various SSH commands.

Question information

English Edit question
Ubuntu Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said :
Revision history for this message
Riki (riki8760) said :

We are aware of that, which is why the vulnerability report was baffling to us.

Can you help with this problem?

Provide an answer of your own, or ask Riki for more information if necessary.

To post a message you must log in.