Support

Taking action to secure our IBM Cloud Container Service against recent Spectre and Meltdown security vulnerabilities

Share this post:

What’s happening

We’re taking action to secure our IBM Cloud Container Service against the recent Spectre and Meltdown security vulnerabilities.
We’ve been working closely with our vendors and IBM Cloud Infrastructure teams concerning the security vulnerability announced on January 3, 2018. This vulnerability has the potential to allow those with malicious intent to gather sensitive data from computing devices. Intel believes these exploits do not have the potential to corrupt, modify, or delete data.

 

What’s been done

The hypervisors have already been patched (see IBM Cloud Infrastructure Blog). Now, the kernel for all VMs that run Kubernetes worker nodes must be updated.

We have updated the cloud image that is used to create IBM Cloud Container Service standard clusters. The update includes the vulnerability mitigation updates as recommended by Ubuntu (see Ubuntu Spectre and Meltdown).

 

How do I mitigate the issue

As a consumer of the service, you should take action to mitigate the issue in your worker nodes. You can choose between the following options:
  • Reload: Reload the configuration files of your Kubernetes cluster worker nodes. To reload, run bx cs worker-reload <my_cluster> <worker_node1> <worker_node2>.
  • Update: Update the version of your Kubernetes cluster worker nodes. This might require that you update your deployment YAML files. See the release notes for more details. To update, run bx cs worker-update <my_cluster> <worker_node1> <worker_node2>.
 When you reload or update your worker nodes, they reboot and install the new image. After the worker nodes reload or update, verify that your Kubernetes pods are recreated on the worker nodes.
 

Lite clusters will be patched beginning Monday 15th January by the IBM Cloud Container Service SRE automation.

 

How to check my version

You can check the version of your workers using the “bx cs workers <my_clusterid>”

Your cluster should be on of the following versions:

  • 1.5.6_1506
  • 1.7.4_1506
  • 1.8.6_1504

Example output:

Questions or comments

Please join us on our public Slack channel at https://ibm-container-service.slack.com or raise a support ticket if you have any issues.

STSM Site Reliability Engineering, IBM Cloud

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Support stories

IBM Cloud Support Announces Phone and Chat Options for all Premium Support Clients

IBM Cloud now offers phone and chat support 24X7 for our premium support clients who are using our Platform As A Service. Have a need to escalate a ticket when your Client Success Manger is not available? Want to talk or chat with a person about a ticket? Need to change the severity of a ticket? Want someone to join a bridge or conference call? Can’t create a ticket with the proper severity?

Continue reading

We’re taking action to secure our cloud against recent security vulnerabilities

We've been working closely with Intel to mitigate the security vulnerability announced on January 3, 2018. Here's how it affects customers.

Continue reading

@IBMcloudant: We’re Moving to @IBMcloud

IBM Cloudant, a fully managed JSON document store, is a key component in many applications built on the IBM Cloud. In an effort to reflect the consolidated offering and Cloudant's place in the IBM Cloud ecosystem, the @IBMcloudant Twitter handle will become inactive on January 8, 2017, as we bring our IBM Cloudant- focused messaging to the IBM Cloud social channels.

Continue reading