An industry-wide, hardware-based CPU security vulnerability was disclosed, called Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715).
For vulnerability details, you may refer to https://access.redhat.com/security/vulnerabilities/speculativeexecution
Q: Is my website safe?
A: It depends. It depends on the websites hosted in the same server. Any vulnerabilities found on the same server (I mean all websites on the same server, not just yours) and injected malware code. The malware code may use the CPU vulnerability (e.g. Meltdown) to read all arbitrary server memory content (no matter it is kernel or user program, or virtual machine).
- If you are using dedicated server (the physical server serves you only), it is much safer (provided your website is secure enough). Remember to update and restart.
- If you are using VM (virtual machine), VPS, shared hosting (in short, the physical server is shared with other customers by any means), please contact your providers for details/follow-up
On individual website level (like you), it’d better to run remote website backup.
You might use phpinfo() to detect the current running kernel information.
(However, if you are using virtual machine (e.g. KVM, VMWare, etc.), you cannot get the host OS version inside the VM environment)
Mitigated version of Linux Kernel:
- RHEL/CentOS 7: kernel-3.10.0-693.11.6.el7
- RHEL/CentOS 6: kernel-2.6.32-696.18.7.el6
- OpenVZ 6: Kernel RHEL6 2.6.32-042stab127.2
- Debian: https://security-tracker.debian.org/tracker/CVE-2017-5754
- Official site: https://meltdownattack.com/
- Google Cloud: https://blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/
- Microsoft Azure: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/