A very serious security problem has been found in the Intel/AMD/ARM CPUs. Spectre CPU Vulnerability CVE-2017-5753/CVE-2017-5715 breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre. How do I protect my Linux server and laptop/desktop against such attack?

A very serious security problem has been found and patched in the Linux kernel. It was announced on 3rd January 2018. It was independently discovered and reported by various teams including Google Project Zero. Spectre is harder to exploit than Meltdown CPU bug, but it is also harder to mitigate.

What is the Spectre security bug in Intel/AMD/ARM cpus?

From the Google blog:
So far, there are three known variants of the issue:

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

From RHEL page:
Howto patch Spectre Vulnerability CVE-2017-5753 CVE-2017-5715 on Linux

The first two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. Collectively these are known as “Spectre”. Both variants rely upon the presence of a precisely-defined instruction sequence in the privileged code, as well as the fact that memory accesses may cause allocation into the microprocessors level 1 data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use these two flaws to read privileged memory by conducting targeted cache side-channel attacks. These variants could be used not only to cross syscall boundary (variant 1 and variant 2) but also guest/host boundary (variant 2).

A list of affected Linux distro by Spectre Vulnerabilitys

  1. Red Hat Enterprise Linux 5 (including clones such as CentOS/Oracle/Scientific Linux 5)
  2. Red Hat Enterprise Linux 6 (including clones such as CentOS/Oracle/Scientific Linux 6)
  3. Red Hat Enterprise Linux 7 (including clones such as CentOS/Oracle/Scientific Linux 7)
  4. RHEV-M 4.0
  5. RHEV-M for Servers
  6. Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7
  7. Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7
  8. Red Hat Enterprise MRG 2
  9. Red Hat OpenStack Platform v 8/9/10/11/12
  10. Debian Linux wheezy
  11. Debian Linux jessie
  12. Debian Linux stretch
  13. Deiban Linux buster, sid
  14. SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  15. SUSE OpenStack Cloud 6
  16. Openstack Cloud Magnum Orchestration 7
  17. SUSE Container as a Service Platform ALL
  18. SUSE Linux Enterprise High Availability 12 SP2/SP3
  19. SUSE Linux Enterprise Live Patching 12
  20. SUSE Linux Enterprise Module for Public Cloud 12
  21. SUSE Linux Enterprise Server 11 SP3-LTSS
  22. SUSE Linux Enterprise Server 11 SP4
  23. SUSE Linux Enterprise Software Development Kit 11/12 SP3/SP4
  24. SUSE Linux Enterprise for SAP 12 SP1
  25. SUSE Linux Enterprise 11
  26. SUSE Linux Enterprise 12
  27. OpenSuse Linux based upon SUSE 12/11
  28. Fedora Linux 26
  29. Fedora Linux 27
  30. Amazon Linux AMI (Bulletin ID: ALAS-2018-939)

This page documents a current security event affecting many modern microprocessor designs. Information may change rapidly as the event progresses, and more info or commands added here soon. Please note that a patch for Debian/Ubuntu/CentOS/Fedora and many distros are not released yet. No patches are available for Spectre yet. The Linux kernel team is working on Retpoline. It will be released soon. When you run ‘apt-get upgrade’ or ‘yum update’ command make sure kernel package such as linux-image (Debian/Ubunt) kernel (RHEL) are updated. You also need microcode update from CPU vendor.

While the updates AWS/Google and other cloud performs protect underlying infrastructure, in order to be fully protected against these issues, you must also patch your instance operating systems including Linux distros, MS-Windows and desktop operating system such as macOS, Windows and more.

Before updating system…

First, always keep backups. Second, note down the Linux kernel version running the following command:
$ uname -r

Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

Type the following yum command:
$ uname -r
$ sudo yum update

Sample outputs (from my RHEL 7.x box):

Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-693.11.6.el7 will be installed
---> Package kernel-tools.x86_64 0:3.10.0-693.11.1.el7 will be updated
---> Package kernel-tools.x86_64 0:3.10.0-693.11.6.el7 will be an update
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.1.el7 will be updated
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
 Package             Arch     Version               Repository                      Size
 kernel              x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms    43 M
 kernel-tools        x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms   5.1 M
 kernel-tools-libs   x86_64   3.10.0-693.11.6.el7   rhui-rhel-7-server-rhui-rpms   5.1 M
Transaction Summary
Install  1 Package
Upgrade  2 Packages
Total download size: 53 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): kernel-tools-3.10.0-693.11.6.el7.x86_64.rpm                | 5.1 MB  00:00:00     
(2/3): kernel-tools-libs-3.10.0-693.11.6.el7.x86_64.rpm           | 5.1 MB  00:00:00     
(3/3): kernel-3.10.0-693.11.6.el7.x86_64.rpm                      |  43 MB  00:00:00     
Total                                                        65 MB/s |  53 MB  00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64                          1/5 
  Updating   : kernel-tools-3.10.0-693.11.6.el7.x86_64                               2/5 
  Installing : kernel-3.10.0-693.11.6.el7.x86_64                                     3/5 
  Cleanup    : kernel-tools-3.10.0-693.11.1.el7.x86_64                               4/5 
  Cleanup    : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64                          5/5 
  Verifying  : kernel-tools-libs-3.10.0-693.11.6.el7.x86_64                          1/5 
  Verifying  : kernel-tools-3.10.0-693.11.6.el7.x86_64                               2/5 
  Verifying  : kernel-3.10.0-693.11.6.el7.x86_64                                     3/5 
  Verifying  : kernel-tools-3.10.0-693.11.1.el7.x86_64                               4/5 
  Verifying  : kernel-tools-libs-3.10.0-693.11.1.el7.x86_64                          5/5 
  kernel.x86_64 0:3.10.0-693.11.6.el7                                                    
  kernel-tools.x86_64 0:3.10.0-693.11.6.el7                                              
  kernel-tools-libs.x86_64 0:3.10.0-693.11.6.el7                                         

You must reboot your Linux server using shutdown/reboot command:
$ sudo reboot
$ uname -r

Verify all 3 CVEs (you must see output:
$ rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Sample outputs:

- [x86] spec_ctrl: Eliminate redundant FEATURE Not Present messages (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] mm/kaiser: init_tss is supposed to go in the PAGE_ALIGNED per-cpu section (Andrea Arcangeli) [1519795 1519798] {CVE-2017-5715}
- [x86] entry: Fix paranoid_exit() trampoline clobber (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] entry: Simplify trampoline stack restore code (Josh Poimboeuf) [1519795 1519798] {CVE-2017-5715 CVE-2017-5754}
- [x86] cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}
- [x86] cpu/AMD: Make the LFENCE instruction serialized (Josh Poimboeuf) [1519788 1519786] {CVE-2017-5753}

Run the following dnf command if you are using a Fedora Linux:
$ sudo dnf --refresh update kernel
sudo dnf update
Reboot the Linux box:
$ sudo reboot

Fix the Spectre on a Debian/Ubuntu Linux

Use the following apt-get command/apt command:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo shutdown -r 0

Fix the Spectre on an Amazon Linux running on AWS

Just run yum command:
# yum update kernel
# reboot

Fix the Spectre on an Arch Linux

Just run pacman command:
# pacman -Syu
# reboot

Spectre & Meltdown Checker

After reboot make sure your Linux server/box patched and not vulnerable any more with spectre-meltdown-checker.sh.

How to apply microcode update supplied by Intel on Linux

See “How to install/update Intel microcode firmware on Linux” for more info.

See also

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 20 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

Comments on this entry are closed.

  • Kevin Jan 4, 2018 @ 8:34

    guys, the issue is still open for e.g. Debian. no patches available yet – so updating the system doesn’t help (yet). See: CVE-2017-5715

  • Emilio Jan 4, 2018 @ 10:33

    On Amazon Linux, you will need to reboot too.


  • Cesar Jan 4, 2018 @ 10:52

    As far as those links and documentation goes, execpt AWS,

    Red Hat/Centos and Debian/Ubuntu has no fix yet, your commands are good for when the fix come, would be worth to clarify for people who doesn’t read the references

    Kind Regards,

  • Ali Jan 4, 2018 @ 12:30

    Is there any tool/script that I can use to verify that the system is patched? I’m not sure if the kernel updates I’ve done solved it.

  • charles Jan 4, 2018 @ 12:40

    for Ubuntu I believe you also have to run

    sudo apt-get dist-upgrade

    to get updated kernel. run before rebooting

  • Michael Jan 4, 2018 @ 13:28

    I run a system which is virtually never updated, and where I have complete confidence in the updates that are in fact being applied.

    I would not like to see any sort of performance loss due to patching this problem since it is extremely unlikely to ever affect me.

    So how do I avoid or blacklist this patch so I don’t get it if i apt-get update/upgrade?

  • Slavik Jan 4, 2018 @ 15:09

    Yes, same here, Debian jessie.

    Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u1 (2017-06-18) x86_64 GNU/Linux
    Linux abi 3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux

    NO PATCH yet available

  • Ryan Chapin Jan 4, 2018 @ 15:53

    It seems that the issue is also still open for RHEL as well, https://access.redhat.com/security/vulnerabilities/speculativeexecution and I haven’t yet seen any information about this patch being available for CentOS.

    This article will solve the problem once the updated kernels are available, but until then this post should indicate that a fix is not yet possible. Some users might just read it, update to a as-of-yet vulnerable kernel and then think they are done.

  • tux Jan 4, 2018 @ 21:06

    CentOS 6 update ist not available yet.

  • James Jan 5, 2018 @ 0:08

    On Windows the problems have been solved with the update no. KB4056892. On Linux it’s a bit confused, some are saying that haven’t received the update yet.

  • Jason Jan 5, 2018 @ 13:38

    Has someone notified the Equifax team?

  • Chris Barry Jan 5, 2018 @ 19:56

    Just to confirm, this isn’t ready to be fixed on ubuntu yet – https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

  • sunil.J Jan 8, 2018 @ 9:39

    Hello All,

    Where I need to subscribe so I will all these notifications about latest security issues about linux kernel , SSL etc.

  • Guy Jan 8, 2018 @ 20:48

    Great article,
    Debian patches are not ready yet:

    And solution may not be apt-get upgrade as the kernel won’t be upgraded unless a certain package that depends on the latest kernel is installed.

  • andrew Jan 15, 2018 @ 9:15

    for 5715, it still showing vulnerable after patching

    CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
    * Mitigation 1
    * Hardware (CPU microcode) support for mitigation
    * The SPEC_CTRL MSR is available: YES
    * The SPEC_CTRL CPUID feature bit is set: NO
    * Kernel support for IBRS: YES
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * Mitigation 2
    * Kernel compiled with retpoline option: NO
    * Kernel compiled with a retpoline-aware compiler: NO
    > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

  • kenny Feb 9, 2018 @ 14:55

    Still showing vulnerable to CVE-2017-5715 on CentOS 7.4.1708

    Yet when I check rpm -q –changelog kernel | egrep ‘CVE-2017-5715’, I find 99 lines in the logs mostly from Poimboeuf.

    So am I patched or not??


Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum