This 4.9 release of Cisco Metacloud contains security and security related updates as well an update for VPP 17.07.
CPU Side Channel Vulnerabilitiy Updates (aka Spectre)
Since the orginal Spectre class of vulnerabilities were released there have been a number of related vulnerabilities that are now being classified as “CPU Side Channel” vulnerabilities. This release continues on our previous security work by addressing the following related issues:
- Spectre Variant 1.1 (Bounds Check Bypass Store) CVE-2018-3696
- Spectre Variant 3a (Rogue System Register Read) CVE-2018-3640
- Spectre Variant 4 (Speculative Store Bypass) CVE-2018-3639
- L1 Terminal Fault (L1TF, Foreshadow) CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
- Lazy FP State Restore (LazyFP) CVE-2018-3665
The fixes for addressing these issues require a new operating system kernel, CPU microcode, libvert and QEMU. All Metacloud Controllers and Hypervisors will need to be rebooted after patches are applied.
For customers to fully secure virtual machines instances they must first apply the relevant patches for the instance’s operating system and they must hard reboot all virtual machines after being upgraded to the 4.9 release. Please refer to your operating system supplier for information on what patches must be applied to address the CVEs addressed above.
Other Notable Security Updates
- SegmentSmack CVE-2018-5390
New cloud build images
As a result of all the security updates this release includes new a set of default images to be used as base images for customer deployments. Previous versions of Metacloud base images should now be considered unsecure. The new versions of base images provided can be found in your image repository (i.e. Glance) as follows:
Fix for vpp-agent restarts
Upon releasing VPP 17.07 we ran into some problems with vpp-agent when virtual machines were deleted from the network. If the virtual machine deleted happened to be the last one on the network segment it was assigned to vpp-agent would restart itself but would hang on restart. The fix in this release addresses this issue.
Please note that this fix has also been backported to Metacloud 4.8.
- Customers running the Metacloud Storage Service (Ceph) must first upgrade to Metacloud 4.8 and the latest Metacloud Storage release before being elgible to upgrade to Metacloud 4.9.
- The Pure Storage cinder driver has not been certified for the 4.9 release.
Supported API Versions
Supported OpenStack Projects and Versions
Supported Image Types
|Image Storage Location||Local Storage||NFS-backed Storage||Ceph-backed Storage|
|QCOW2 (KVM, Xen)||x||x||N/A|