Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Meltdown and Spectre Vulnerabilities"

From EGIWiki
Jump to navigation Jump to search
(19 intermediate revisions by 3 users not shown)
Line 3: Line 3:
== Purpose of this page  ==
== Purpose of this page  ==


To provide useful links and other information concerning the Meltdown and Spectre vulnerabilities, which we consider relevant to the EGI infrastructure. We are continuing to add new information when we become aware of it, and the situation continues to change (19th January 2018).  
To provide more detailed information about the Meltdown and Spectre vulnerabilities, to complement the advisory, [[SVG:Advisory-SVG-CVE-2017-5753]].


== What are they?  ==
This was compiled in January and early February 2018


These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.
Information including more recent [[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]


Meltdown affects most Intel chips, and has CVE-2017-5754
== What are they?  ==


Spectre affects a wide range of chips, CVE-2017-5753 and CVE-2017-5715.  
These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.
* Meltdown (CVE-2017-5754) affects most Intel chips.
* Spectre (CVE-2017-5753 and CVE-2017-5715) affects a wide range of chips.


Here you will find more information  [http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/ http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/]  
For more details, see [https://meltdownattack.com/ https://meltdownattack.com/ ], [https://spectreattack.com/ https://spectreattack.com/] and [https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html]  


[https://meltdownattack.com/ https://meltdownattack.com/ ], [https://spectreattack.com/ https://spectreattack.com/] and [https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html]
== How to mitigate these vulnerabilities ==


== CERN information  ==
Each CVE can be mitigated via different ways:
* Meltdown (CVE-2017-5754) can be mitigated via [https://en.wikipedia.org/wiki/Kernel_page-table_isolation Kernel Page Table Isolation], which is enabled by default in latest linux kernels
* Spectre Variant 1 (CVE-2017-5753) has to be mitigated in each software which can be vulnerable. The latest linux kernel contains fixes to protect itself (does not protect other software).
* Spectre Variant 2 (CVE-2017-5715) can be (at least partially) mitigated via at least two different approach:
** Using new Intel-specific MSR, added via a microcode update, to control indirect branch restricted speculation (IBRS): Both a kernel and a microcode update are required. In addition, in case of virtualization, an update of the virtualization software (e.g. qemu & virt) is required to expose the new MSR to the VM.
** Using "retpoline", a new software construct that can mitigate, on most CPUs, the vulnerability


CERN has compiled information which is useful for many EGI sites
=== RedHat ===


[https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml]
As of Feb 2nd 2018, RedHat has [https://access.redhat.com/security/vulnerabilities/speculativeexecution offered new kernel updates that can mitigate Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715)].


== Intel Information  ==
However, due to instability issues, it has [https://access.redhat.com/errata/RHSA-2018:0093 removed the microcode updates required for Spectre Variant 2 (CVE-2017-5715)]. Until Intel releases stable microcode or RedHat switches to 'retpoline', no mitigation for Spectre Variant 2 (CVE-2017-5715) is safely usable.


Product patches:  
It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:
* On RHEL7: Updating the kernel to 3.10.0-693.11.6.el7, see [https://access.redhat.com/errata/RHSA-2018:0007 RHSA-2018:0007]
* On RHEL6: Updating the kernel to 2.6.32-696.18.7.el6, see [https://access.redhat.com/errata/RHSA-2018:0008 RHSA-2018:0008]


[https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File]
=== Centos ===


Revised recommendations from 17th January 2018:
Centos is following RedHat (see above).


[https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr]
It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:
* On Centos 7: Updating the kernel to 3.10.0-693.11.6.el7, see [https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html CESA-2018:0007]
* On Centos 6: Updating the kernel to 2.6.32-696.18.7.el6, see [https://lists.centos.org/pipermail/centos-announce/2018-January/022701.html CESA-2018:0008]


Update regarding progress on reboot issue for some platforms [as of January 22nd]:
=== Scientific Linux ===


[https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/ https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/]
Scientific Linux is following RedHat (see above).


== RedHat Information  ==
It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:
* On SL7: Updating the kernel to 3.10.0-693.11.6.el7, see [https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/ SLSA-2018:0007-1]
* On SL6: Updating the kernel to 2.6.32-696.18.7.el6, see [https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/ SLSA-2018:0008-1]


'''Important! [as of 17th January]'''
Additional details as well as information on other systems and platforms can be found in the next section.


RedHat has issued new microcode_ctl packages to rollback the latest updates, see [https://access.redhat.com/errata/RHSA-2018:0093 https://access.redhat.com/errata/RHSA-2018:0093].
== More Information ==


<br>
=== Relevant Advisories ===
==== CERN ====


RedHat description:  
CERN has compiled information which is useful for many EGI sites:


[https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/security/vulnerabilities/speculativeexecution]
[https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml]


[https://access.redhat.com/articles/3307751 https://access.redhat.com/articles/3307751 (subscription required)]
==== Intel ====


[https://access.redhat.com/solutions/3315431 https://access.redhat.com/solutions/3315431 (subscription required)]
Intel has initially, on January 8th, [https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File released new microcodes] to complement the IBRS kernel patchset. However, these new microcodes are in fact '''unstable''' and Intel has since then recommended to stop deploying them.


<br>
Intel latest recommendation can be found in their advisory, [https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr INTEL-SA-00088]


RedHat CVE info: [https://access.redhat.com/security/cve/CVE-2017-5754]  
More updates and information:
* [https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ Jan 3rd: Initial response]
* [https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/ Jan 4th]
* [https://newsroom.intel.com/news/intel-offers-security-issue-update/ Jan 9th: Microcode released]
* [https://newsroom.intel.com/editorials/intel-security-issue-update-initial-performance-data-results-client-systems/ Jan 10th: performance impact analysis]
* [https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/ Jan 11th: Microcode unstability reported]
* [https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/ Jan 17th]
* [https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/ Jan 22th: Instabilities causes found for 2 Intel series]


[https://access.redhat.com/security/cve/CVE-2017-5754 https://access.redhat.com/security/cve/CVE-2017-5754]
=== Linux Distributions ===
==== RedHat ====


[https://access.redhat.com/security/cve/CVE-2017-5753 https://access.redhat.com/security/cve/CVE-2017-5753]  
'''Important! [as of 17th January]'''


[https://access.redhat.com/security/cve/CVE-2017-5715 https://access.redhat.com/security/cve/CVE-2017-5715]
RedHat has issued new microcode_ctl packages to rollback the latest updates, see [https://access.redhat.com/errata/RHSA-2018:0093 RHSA-2018:0093].


<br>  
<br>  


RHEL6:  
RedHat description:  
 
* [https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/security/vulnerabilities/speculativeexecution]
kernel-2.6.32-696.18.7.el6: [https://access.redhat.com/errata/RHSA-2018:0008 https://access.redhat.com/errata/RHSA-2018:0008]  
* [https://access.redhat.com/articles/3307751 https://access.redhat.com/articles/3307751 (subscription required)]
 
* [https://access.redhat.com/solutions/3315431 https://access.redhat.com/solutions/3315431 (subscription required)]
microcode_ctl-1.17-25.2.el6_9: [https://access.redhat.com/errata/RHSA-2018:0013 https://access.redhat.com/errata/RHSA-2018:0013]  
 
'''Important! [as of 13th January]'''
 
There appears to be a bug with the microcode_ctl update for Intel model 79 processors (Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz, Intel(R) Xeon(R) CPU E5-2643 v4 @ 3.40GHz, Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.20GHz and Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.50GHz). The system fails to boot due to udev rules. There is no solution to the problem but to downgrade the microcode_ctl package. For more information, see: https://bugzilla.redhat.com/show_bug.cgi?id=1532283
 
https://access.redhat.com/solutions/3314661
 
<br> RHEL7:
 
kernel-3.10.0-693.11.6.el7: [https://access.redhat.com/errata/RHSA-2018:0007 https://access.redhat.com/errata/RHSA-2018:0007]  


microcode_ctl-2.1-22.2.el7: [https://access.redhat.com/errata/RHSA-2018:0012 https://access.redhat.com/errata/RHSA-2018:0012]  
RedHat CVE info:
* [https://access.redhat.com/security/cve/CVE-2017-5754 CVE-2017-5754]
* [https://access.redhat.com/security/cve/CVE-2017-5753 CVE-2017-5753]
* [https://access.redhat.com/security/cve/CVE-2017-5715 CVE-2017-5715]


linux-firmware-20170606-57.gitc990aae.el7_4: [https://access.redhat.com/errata/RHSA-2018:0014 https://access.redhat.com/errata/RHSA-2018:0014]
==== CentOS ====
 
<br> qemu-kvm:
 
RHEL6:
 
qemu-kvm: [https://access.redhat.com/errata/RHSA-2018:0024 https://access.redhat.com/errata/RHSA-2018:0024]
 
libvirt: [https://access.redhat.com/errata/RHSA-2018:0030 https://access.redhat.com/errata/RHSA-2018:0030]
 
RHEL7:
 
qemu-kvm: [https://access.redhat.com/errata/RHSA-2018:0023 https://access.redhat.com/errata/RHSA-2018:0023]
 
libvirt: [https://access.redhat.com/errata/RHSA-2018:0029 https://access.redhat.com/errata/RHSA-2018:0029]
 
== CentOS Information  ==


'''Important! [as of 17th January]'''
'''Important! [as of 17th January]'''


Centos seems to be following Redhat in the revert of the microcode_ctl package, see [https://git.centos.org/blob/rpms!microcode_ctl.git/c7/SOURCES!disclaimer the disclaimer in the sources of the last package]:
Centos seems to be following Redhat in the revert of the microcode_ctl package, see [https://git.centos.org/blob/rpms!microcode_ctl.git/c7/SOURCES!disclaimer the disclaimer in the sources of the last package]
This update supersedes microcode provided  by Red Hat with the CVE-2017-5715 (“Spectre”)
CPU branch injection vulnerability mitigation.  (HIstorically, Red Hat has provided updated
microcode, developed by our microprocessor partners, as a customer convenience.)  Further
testing has uncovered problems with the microcode provided along with the “Spectre” mitigation
that could lead to system instabilities.  As a result, Red Hat is providing an microcode update
that reverts to the last known good microcode version dated before 03 January 2018.
Red Hat strongly recommends that customers contact their hardware provider for the latest microcode updates.
IMPORTANT: Customers using Intel Skylake-, Broadwell-, and Haswell-based platforms must obtain and
install updated microcode from their hardware vendor immediately. The "Spectre" mitigation requires
both an updated kernel from Red Hat and updated microcode from your hardware vendor.


<br>
<br>
Line 136: Line 123:
[https://lists.centos.org/pipermail/centos-announce/2018-January/date.html  https://lists.centos.org/pipermail/centos-announce/2018-January/date.html]
[https://lists.centos.org/pipermail/centos-announce/2018-January/date.html  https://lists.centos.org/pipermail/centos-announce/2018-January/date.html]


== Some RedHat Linux related issues found ==
==== Scientific Linux ====
 
A serious bug in the microcode updates for some Intel CPUs (model 79) as distributed by Redhat (at least for RHEL 6 and derivatives) was found by one site and reported to us.  
This update rendered systems unbootable.
 
[https://bugzilla.redhat.com/show_bug.cgi?id=1532283 https://bugzilla.redhat.com/show_bug.cgi?id=1532283]
 
[https://access.redhat.com/solutions/3314661 https://access.redhat.com/solutions/3314661]
 
RedHat info on performance:--
 
[https://access.redhat.com/articles/3311301 https://access.redhat.com/articles/3311301]
 
== Scientific Linux  ==


'''Important! [as of 18th January]'''
'''Important! [as of 18th January]'''


Scientific Linux is following RedHat in the revert of the microcode_ctl package, see [https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/]:
Scientific Linux is following RedHat in the revert of the microcode_ctl package, see [https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/]


This update supersedes the previous microcode update provided with the
<br>
CVE-2017-5715 (Spectre) CPU branch injection vulnerability mitigation.
Further testing has uncovered problems with the microcode provided along
with the Spectre mitigation that could lead to system instabilities.
As a result, this microcode update reverts to the last known good
microcode version dated before 03 January 2018.
You should contact your hardware provider for the latest microcode updates.
IMPORTANT: If you are using Intel Skylake-, Broadwell-, and Haswell-based
platforms, obtain and install updated microcode from your hardware
vendor immediately. The "Spectre" mitigation requires both an updated
kernel and updated microcode from your hardware vendor.


SL6:  
* SL6: [https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/]  
 
* SL7: [https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/]  
[https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/]  
 
SL7:  
 
[https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/]  


<br>  
<br>  


qemu-kvn:  
* SL6:
** qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180024-1/ http://scientificlinux.org/category/sl-errata/slsa-20180024-1/]
** libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180030-1/ http://scientificlinux.org/category/sl-errata/slsa-20180030-1/]
* SL7:
** qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180023-1/ http://scientificlinux.org/category/sl-errata/slsa-20180023-1/]
** libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180029-1/ http://scientificlinux.org/category/sl-errata/slsa-20180029-1/]


SL6:
==== Ubuntu  ====


qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180024-1/ http://scientificlinux.org/category/sl-errata/slsa-20180024-1/]  
[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown]


libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180030-1/ http://scientificlinux.org/category/sl-errata/slsa-20180030-1/]
==== Debian ====


SL7:  
[https://security-tracker.debian.org/tracker/CVE-2017-5715 CVE-2017-5715]
[https://security-tracker.debian.org/tracker/CVE-2017-5753 CVE-2017-5753]
[https://security-tracker.debian.org/tracker/CVE-2017-5754 CVE-2017-5754]


qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180023-1/ http://scientificlinux.org/category/sl-errata/slsa-20180023-1/]
=== System Vendors ===
 
==== Supermicro ====
libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180029-1/ http://scientificlinux.org/category/sl-errata/slsa-20180029-1/]
 
== Ubuntu  ==
 
[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown]
 
== Supermicro ==


[https://www.supermicro.com/support/security_Intel-SA-00088.cfm https://www.supermicro.com/support/security_Intel-SA-00088.cfm]
[https://www.supermicro.com/support/security_Intel-SA-00088.cfm https://www.supermicro.com/support/security_Intel-SA-00088.cfm]


== Dell products ==
==== Dell ====


'''Important! [as of 23rd January]'''
'''Important! [as of 23rd January]'''
Line 215: Line 171:
Note this is changing rather frequently
Note this is changing rather frequently


== HPE products ==
==== HPE ====


[as of January 23]
[as of January 23]
Line 223: Line 179:
[https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-hpesbhf03805en_us https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-hpesbhf03805en_us]
[https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-hpesbhf03805en_us https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-hpesbhf03805en_us]


== Xen  ==
==== Lenovo ====
 
[as of January 23]
 
Lenovo security advisory
 
 
=== Hypervisors ===
 
[https://support.lenovo.com/gb/en/solutions/len-18282 https://support.lenovo.com/gb/en/solutions/len-18282]
==== Xen  ====




Line 231: Line 197:
* [https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre]
* [https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre]


== Other Cloud related ==
==== QEMU-KVM ====


In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated:
In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated:


[https://www.qemu.org/2018/01/04/spectre/ https://www.qemu.org/2018/01/04/spectre/]
[https://www.qemu.org/2018/01/04/spectre/ https://www.qemu.org/2018/01/04/spectre/]

Revision as of 14:27, 7 September 2018

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Meltdown and Spectre Vulnerabilities


Purpose of this page

To provide more detailed information about the Meltdown and Spectre vulnerabilities, to complement the advisory, SVG:Advisory-SVG-CVE-2017-5753.

This was compiled in January and early February 2018

Information including more recent SVG Speculative execution vulnerabilities

What are they?

These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.

  • Meltdown (CVE-2017-5754) affects most Intel chips.
  • Spectre (CVE-2017-5753 and CVE-2017-5715) affects a wide range of chips.

For more details, see https://meltdownattack.com/ , https://spectreattack.com/ and https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html

How to mitigate these vulnerabilities

Each CVE can be mitigated via different ways:

  • Meltdown (CVE-2017-5754) can be mitigated via Kernel Page Table Isolation, which is enabled by default in latest linux kernels
  • Spectre Variant 1 (CVE-2017-5753) has to be mitigated in each software which can be vulnerable. The latest linux kernel contains fixes to protect itself (does not protect other software).
  • Spectre Variant 2 (CVE-2017-5715) can be (at least partially) mitigated via at least two different approach:
    • Using new Intel-specific MSR, added via a microcode update, to control indirect branch restricted speculation (IBRS): Both a kernel and a microcode update are required. In addition, in case of virtualization, an update of the virtualization software (e.g. qemu & virt) is required to expose the new MSR to the VM.
    • Using "retpoline", a new software construct that can mitigate, on most CPUs, the vulnerability

RedHat

As of Feb 2nd 2018, RedHat has offered new kernel updates that can mitigate Meltdown (CVE-2017-5754), Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715).

However, due to instability issues, it has removed the microcode updates required for Spectre Variant 2 (CVE-2017-5715). Until Intel releases stable microcode or RedHat switches to 'retpoline', no mitigation for Spectre Variant 2 (CVE-2017-5715) is safely usable.

It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:

  • On RHEL7: Updating the kernel to 3.10.0-693.11.6.el7, see RHSA-2018:0007
  • On RHEL6: Updating the kernel to 2.6.32-696.18.7.el6, see RHSA-2018:0008

Centos

Centos is following RedHat (see above).

It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:

  • On Centos 7: Updating the kernel to 3.10.0-693.11.6.el7, see CESA-2018:0007
  • On Centos 6: Updating the kernel to 2.6.32-696.18.7.el6, see CESA-2018:0008

Scientific Linux

Scientific Linux is following RedHat (see above).

It is currently possible to mitigate Meltdown (CVE-2017-5754) and Spectre Variant 1 (CVE-2017-5753) by:

Additional details as well as information on other systems and platforms can be found in the next section.

More Information

Relevant Advisories

CERN

CERN has compiled information which is useful for many EGI sites:

https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml

Intel

Intel has initially, on January 8th, released new microcodes to complement the IBRS kernel patchset. However, these new microcodes are in fact unstable and Intel has since then recommended to stop deploying them.

Intel latest recommendation can be found in their advisory, INTEL-SA-00088

More updates and information:

Linux Distributions

RedHat

Important! [as of 17th January]

RedHat has issued new microcode_ctl packages to rollback the latest updates, see RHSA-2018:0093.


RedHat description:

RedHat CVE info:

CentOS

Important! [as of 17th January]

Centos seems to be following Redhat in the revert of the microcode_ctl package, see the disclaimer in the sources of the last package


CentOS 7:

CentOS 6:

See further in the centos-announce Security mails for January https://lists.centos.org/pipermail/centos-announce/2018-January/date.html

Scientific Linux

Important! [as of 18th January]

Scientific Linux is following RedHat in the revert of the microcode_ctl package, see https://www.scientificlinux.org/category/sl-errata/slsa-20180093-1/



Ubuntu

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Debian

CVE-2017-5715 CVE-2017-5753 CVE-2017-5754

System Vendors

Supermicro

https://www.supermicro.com/support/security_Intel-SA-00088.cfm

Dell

Important! [as of 23rd January]

Dell is advising that all customers and partners should not deploy the BIOS update for the Spectre vulnerability at this time due to Intel’s advisory acknowledging reboot issues and unpredictable system behaviour.

http://www.dell.com/support/contents/uk/en/ukbsdt1/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre


https://www.dell.com/support/article/uk/en/ukbsdt1/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en

Note this is changing rather frequently

HPE

[as of January 23]

HPE has updated their advisory to note that "Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues" - so following suit with DELL.

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-hpesbhf03805en_us

Lenovo

[as of January 23]

Lenovo security advisory


Hypervisors

https://support.lenovo.com/gb/en/solutions/len-18282

Xen

QEMU-KVM

In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated:

https://www.qemu.org/2018/01/04/spectre/