Spectre and Meltdown are now officially "in the open" https://meltdownattack.com/. About 9 years ago, we already saw this being abused in the wild. I wrote about the same issue when working with VMware, docker and Xen. I reported it and the possible way to circumvent it, the issue at hand. They then said that it couldn't be determined what the cause was.
The proposed fix, is to "separate" kernel and user-space memory. This will make context switches a lot more resource intensive. When protecting your servers against this bug, which btw is mostly a processor design-flaw. Back in the day, we saw a 50% performance hit for heavy context-switching loads. Especially PostgreSQL got hit extensively. Now almost 10 years later, this is still the case.
I do would highly recommend upgrading your systems to ensure this cannot be abused. Especially for virtual servers or docker hosts. Yes you will be hit by a huge performance penalty, but the security benefits outway it. This is probably the last of our "never solved" list.
Government agencies speaking out
"We are aware of reports detailing potentially significant flaws in a wide range of computer processors, which could affect various operating systems. We strongly recommend that organisations with affected hardware test and apply patches from suppliers as soon as they are released."
"All organisations have a duty to keep personal information in their care secure and that involves having layered security defences in place, including procedures for applying patches and updates, to help to mitigate the risk of exploitation."
"Das BSI hat in der Vergangenheit bereits mehrfach auf die Problematik von IT-Sicherheitsproblemen in Hardware-Produkten hingewiesen, etwa in unseren jährlichen Lageberichten. Der vorliegende Fall ist ein erneuter Beleg dafür, wie wichtig es ist, Aspekte der IT-Sicherheit schon bei der Produktentwicklung angemessen zu berücksichtigen. "Security by Design" und "Security by Default" sind Grundsätze, die für den Erfolg der Digitalisierung unerlässlich sind."
"Das BSI fordert Diensteanbieter auf, ihre Anwendungen schnellstmöglich abzusichern. Das BSI empfiehlt zudem Unternehmen und Privatanwendern, Sicherheitspatches für Betriebssysteme und insbesondere Browser unmittelbar einzuspielen, sobald sie von den Herstellern zur Verfügung gestellt werden. Auch für mobile Geräte sollten Sicherheitsupdates unmittelbar eingespielt werden. Zudem sollten Apps nur aus vertrauenswürdigen Quellen bezogen werden. Generell gilt, dass Software und Betriebssysteme stets auf dem aktuellen Stand gehalten werden sollen. Das BSI fordert die Chip- und Hardwarehersteller auf, dafür zu sorgen, diese Schwachstellen im Zuge der Produktpflege zu beheben."
In general, all "government agencies" agree and urge everyone to update as fast as you can regardless of the performance hit. Companies should strive for "Security by Design" and "Security by Default" which are "GDPR" keywords like "State-Of-The-Art"
Vendors
| Intel | Security Advisory / Newsroom |
|---|---|
| ARM | Security Update |
| AMD | Security Information |
| Microsoft | Security Guidance / Information regarding anti-virus software / Azure Blog |
| Amazon | Security Bulletin |
| Project Zero Blog / Need to know | |
| Mozilla | Security Blog |
| Red Hat | Vulnerability Response |
| Debian | Security Tracker |
| Ubuntu | Knowledge Base |
| SUSE | Vulnerability Response |
| CERT | Vulnerability Note |
| MITRE | CVE-2017-5715 / CVE-2017-5753 / CVE-2017-5754 |
| VMWare | Security Advisory |
| Citrix | Security Bulletin |
More details
Google's Project 0 gives best background information and is a highly recommended read.