Hi Chris,
On 2018-01-10 09:43, Chris Brew wrote:
> However, what I’m now more concerned about is the WLCG yesterday and
> the microcode checker availability script linked. According to the
> mail and the script, updated microcode is only available for our
> latest generation of CPUs and everything we bought before our 2016
> purchase is still vulnerable to CVE-2017-5715 until the software fix
> is available (in a few weeks).
There may be new microcode for older systems in the pipeline.
> Until the “retpolines” fix is available, it looks like we need to put
> about 80% of our cluster offline, is that what other sites are doing?
It's useless have a secure system that is turned off - one may as well
have no system. It might be slightly useful to have an insecure system
that is turned on?
So I'm leaving it on until either a) we get new microcode for the older
systems or b) my paranoia get the better of me.
Anybody got a better idea?
Cheers,
Ste
|