We’ve decided to follow Redhat and Intel’s direction and roll back the Spectre Mitigations in SNG7. We’ve had confirmation from a couple of people that they are suffering from random reboots that are (probably) related to the Spectre fixes released by Intel.
Redhat explains it here, and we agree with them. We hope that Intel will be releasing better tested firmware soon, and when that happens, we’ll test them ourselves before pushing them out.
You need to run ‘yum update’ and reboot (or just wait, if your machine IS rebooting randomly, sigh), and make sure you’re running 3.10.0-693.17.1 or higher. As part of that upgrade, you’ll also get linux-firmware-20170606-58.gitc990aae.el7_4.noarch.rpm which actually contains the code from Intel.
Apologies to anyone who had their machine randomly reboot. Please note, this DOES make your machine vulnerable to Spectre (but not Meltdown) style of attacks again, which allow an unprivileged user on your system to read privileged memory on the same host. This still does protect you against cross-VM snooping.
I should make clear these bugs are only usable once someone has ALREADY hacked your machine (So no-one can use these to ‘hack’ a machine that isn’t ALREADY hacked). All they do is expose ‘stuff’ that an attacker shouldn’t know, such as ssh keys, or SIP secrets.