Difference between revisions of "SVG:Advisory-SVG-CVE-2017-5753"
Jump to navigation
Jump to search
(Make Advisory WHITE and publish it) |
|||
Line 1: | Line 1: | ||
{{svg-header}} | {{svg-header}} | ||
<pre> | |||
Title: EGI SVG 'ADVISORY' **UPDATE 2** [TLP:WHITE] 'CRITICAL' risk processor vulnerabilities - Meltdown and Spectre | |||
Date: 2018-01-03 | |||
Updated: 2018-01-04, 2018-01-11, 2018-01-19 | |||
**UPDATED 2018-01-23**: Deadline for CVE-2017-5754 & CVE-2017-5753 mitigation | |||
Affected software and risk | |||
========================== | |||
'CRITICAL' risk vulnerabilities concerning processors in common usage, | |||
including Intel. | |||
Package : Intel and other processors | |||
CVE ID : CVE-2017-5754 - Meltdown(Variant 3) - Only affects Intel chips. | |||
: CVE-2017-5753 - Spectre(Variant 1) - Affects wide range of chips | |||
: CVE-2017-5715 - Spectre(Variant 2) - Affects wide range of chips | |||
Actions required/recommended | |||
============================ | |||
This advisory is under constant revision, links to detailed public information | |||
and patches are being published on the EGI SVG wiki at [R 1] as soon as they | |||
are available to us. Please check frequently. | |||
Meltdown(Variant 3) and Spectre(Variant 1): All sites MUST update their kernel | |||
and reboot before 9am (CET) Tuesday morning next week (30th January), | |||
2018/01/30T09:00:00+01:00. | |||
Priority should be given to services with direct user access, like | |||
ssh-gateways, user interfaces (UIs), VOBoxs, WorkerNodes (WNs). | |||
Failure to update within this time-frame will be followed-up as per our | |||
Critical Vulnerability Handling [R 3]. | |||
Spectre(Variant 2): Given the instabilities reported by Intel on its own | |||
microcode [R 4] and RedHat removing said microcodes from its packages, there | |||
is currently no known and simple supported mitigation for this vulnerabilty. | |||
Sites are encouraged to follow closely updates from their software and | |||
hardware vendors, who might be releasing specific updates. | |||
TLP and URL | |||
=========== | |||
** AMBER information - Limited distribution - see | |||
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
If you find or become aware of another vulnerability which is relevant to EGI | |||
you may report it by e-mail to | |||
report-vulnerability at egi.eu | |||
the EGI Software Vulnerability Group will take a look according to the | |||
procedure defined in [R 2] | |||
Note that this has been updated and the latest version approved by the | |||
Operations Management Board in November 2017 | |||
References | |||
========== | |||
[R 1] https://wiki.egi.eu/wiki/SVG:Meltdown_and_Spectre_Vulnerabilities | |||
[R 2] https://documents.egi.eu/public/ShowDocument?docid=3145 | |||
[R 3] https://wiki.egi.eu/wiki/SEC03 | |||
[R 4] | |||
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr | |||
Credit | |||
====== | |||
Raul Lopes from Brunel alerted the UK security discussion list, which included | |||
members of the EGI SVG. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd [EGI-SVG-2018-13959] | |||
2018-01-03 SVG alerted to this issue by Raul Lopes | |||
2018-01-03 Not enough information to fully assess, but potentially critical | |||
2018-01-03 Decided to send 'Heads up' and drafted | |||
2018-01-03 'Heads Up' sent to sites | |||
2018-01-04 Patches available for most linux systems | |||
2018-01-04 Advisory sent to sites | |||
2018-01-09 Advisory updated - to temporarily remove deadline | |||
and link to wiki for more information | |||
2018-01-23 Advisory updated - to distinguish between Meltdown, Spectre(1), | |||
Spectre(2) and specify action in each case | |||
Context | |||
======= | |||
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose | |||
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities" | |||
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 5] | |||
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, w | |||
e do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending | |||
on how the software is used. | |||
Others may re-use this information provided they:- | |||
1) Respect the provided TLP classification | |||
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group | |||
</pre> |
Revision as of 09:11, 2 February 2018
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2017-5753
Title: EGI SVG 'ADVISORY' **UPDATE 2** [TLP:WHITE] 'CRITICAL' risk processor vulnerabilities - Meltdown and Spectre Date: 2018-01-03 Updated: 2018-01-04, 2018-01-11, 2018-01-19 **UPDATED 2018-01-23**: Deadline for CVE-2017-5754 & CVE-2017-5753 mitigation Affected software and risk ========================== 'CRITICAL' risk vulnerabilities concerning processors in common usage, including Intel. Package : Intel and other processors CVE ID : CVE-2017-5754 - Meltdown(Variant 3) - Only affects Intel chips. : CVE-2017-5753 - Spectre(Variant 1) - Affects wide range of chips : CVE-2017-5715 - Spectre(Variant 2) - Affects wide range of chips Actions required/recommended ============================ This advisory is under constant revision, links to detailed public information and patches are being published on the EGI SVG wiki at [R 1] as soon as they are available to us. Please check frequently. Meltdown(Variant 3) and Spectre(Variant 1): All sites MUST update their kernel and reboot before 9am (CET) Tuesday morning next week (30th January), 2018/01/30T09:00:00+01:00. Priority should be given to services with direct user access, like ssh-gateways, user interfaces (UIs), VOBoxs, WorkerNodes (WNs). Failure to update within this time-frame will be followed-up as per our Critical Vulnerability Handling [R 3]. Spectre(Variant 2): Given the instabilities reported by Intel on its own microcode [R 4] and RedHat removing said microcodes from its packages, there is currently no known and simple supported mitigation for this vulnerabilty. Sites are encouraged to follow closely updates from their software and hardware vendors, who might be releasing specific updates. TLP and URL =========== ** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2] Note that this has been updated and the latest version approved by the Operations Management Board in November 2017 References ========== [R 1] https://wiki.egi.eu/wiki/SVG:Meltdown_and_Spectre_Vulnerabilities [R 2] https://documents.egi.eu/public/ShowDocument?docid=3145 [R 3] https://wiki.egi.eu/wiki/SEC03 [R 4] https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Credit ====== Raul Lopes from Brunel alerted the UK security discussion list, which included members of the EGI SVG. Timeline ======== Yyyy-mm-dd [EGI-SVG-2018-13959] 2018-01-03 SVG alerted to this issue by Raul Lopes 2018-01-03 Not enough information to fully assess, but potentially critical 2018-01-03 Decided to send 'Heads up' and drafted 2018-01-03 'Heads Up' sent to sites 2018-01-04 Patches available for most linux systems 2018-01-04 Advisory sent to sites 2018-01-09 Advisory updated - to temporarily remove deadline and link to wiki for more information 2018-01-23 Advisory updated - to distinguish between Meltdown, Spectre(1), Spectre(2) and specify action in each case Context ======= This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 5] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, w e do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. Others may re-use this information provided they:- 1) Respect the provided TLP classification 2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group