The security-oriented Container Linux by CoreOS GNU/Linux distribution has been updated this week with all the necessary patches to mitigate the latest Intel CPU microarchitecture vulnerabilities.
CoreOS Container Linux 2247.7.0 is here as the latest stable version of the security-oriented, minimal operating system for running containerized workloads securely and at scale, which was acquired by Red Hat last year and will soon become Fedora CoreOS. This release includes fixes for the CVE-2019-11135 and CVE-2018-12207 security vulnerabilities affecting Intel CPUs.
According to the release notes, CoreOS Container Linux 2247.7.0 fixes Intel CPU disclosure of memory to user process, but the complete mitigation requires manually disabling TSX or SMT on affected processors. Additionally, is also fixes Intel CPU denial of service by a malicious guest VM, and a CFS scheduler bug throttling highly-threaded I/O-bound applications.
Updated components
Powered by the long-term supported Linux 4.19.84 kernel, the CoreOS Container Linux 2247.7.0 release ships with an updated intel-microcode firmware for Intel CPUs to version 20191115, which is needed to fully mitigate the aforementioned vulnerabilities. Other updated components include Docker 18.06.3, Ignition 0.33.0, systemd 241, etcd 3.3.15, and rkt 1.30.0.
For more information on how to manually disable , check out this article. Meanwhile, if you’re running CoreOS Container Linux, we recommend updating to version 2247.7.0 as soon as possible to protect your systems against the latest Intel CPU security flaws. For new deployments, you can download the CoreOS Container Linux 2247.7.0 installation image right now from our free software portal.
Container Linux by CoreOS is an open-source, lightweight and free Linux-based operating system designed for providing an infrastructure for clustered deployments. Its development is provided by CoreOS with a focus on security, automation, scalability, reliability, and ease of application deployment until Red Hat’s Fedora CoreOS becomes stable and ready for production.
https://news.softpedia.com/news/security-oriented-container-linux-gets-patched-against-latest-intel-cpu-flaws-528253.shtml