Earlier this month, Google Project Zero announced several security vulnerabilities in many modern processors, commonly referred to by the names Spectre and Meltdown. These vulnerabilities arise from the exploitation of performance optimizations in modern CPUs, features known as branch prediction and speculative execution. You can read more about these hardware vulnerabilities at the Spectre Attack website.
Many operating system vendors have issued patches to detect and/or work around these vulnerabilities. Although they are hardware-based and will require CPU vendors like Intel to correct the defects in hardware, operating system vendors have released patches to work around these issues, either by disabling certain hardware features, or implementing software optimizations such as kernel page table isolation.
Our community and customers have already started writing InSpec rules to detect the presence of this vulnerability and Chef recipes to remediate it. Nathan Dines, Principal Consultant at Vibrato, an Australian DevOps consultancy, has published his InSpec rules to the Chef Supermarket. Says Dines, “In distributing this InSpec profile, our clients using Chef Automate have been able to identify exactly which servers in their fleets were vulnerable to the exploit, and could mitigate the issue in a timely and systematic manner. In addition to this, our clients who are not using Chef Automate were given instructions on how to execute this on an ad-hoc basis and get an understanding of the visibility which Chef Automate can provide at scale. They’re now able to target which machines require attention and deploy updates systematically.”
Meltdown and Spectre are still relatively new vulnerabilities, and Spectre in particular is still a developing story, as fixes continue to be developed. We are proud that the power of open source allows customers to benefit from rapidly evolving knowledge about these vulnerabilities, in order to quickly respond to them. Thank you to Vibrato for helping to keep computer systems secure everywhere.