Revision as of 11:13, 21 October 2021

Main page

Software Security Checklist

Issue Handling

Advisories

Notes On Risk

Advisory Template

More

Meltdown and Spectre Vulnerabilities

This article is Deprecated and has been moved to https://advisories.egi.eu/Meltdown_and_Spectre_Vulnerabilities.html.

@@ Line 1: / Line 1: @@
 {{svg-header}}
+{{DeprecatedAndMovedTo|new_location=https://advisories.egi.eu/Meltdown_and_Spectre_Vulnerabilities.html}}
-More information is likely to be added in the coming days. This is an initial version.
-== Purpose of this page  ==
-To provide useful links and other information concerning the Meltdown and Spectre vulnerabilities, which we consider relevant to the EGI infrastructure.
-== What are they?  ==
-These are vulnerabilities in the design of the chip hardware, and cannot be fully resolved by patching operating systems. However patches are available which mitigate these problems.
-Meltdown affects most Intel chips, and has CVE-2017-5754
-Spectre affects a wide range of chips, CVE-2017-5753 and CVE-2017-5715.
-Here you will find more information&nbsp; [http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/ http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/]
-[https://meltdownattack.com/ https://meltdownattack.com/ ], [https://spectreattack.com/ https://spectreattack.com/] and [https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html https://googleprojectzero.blogspot.dk/2018/01/reading-privileged-memory-with-side.html]
-== CERN information  ==
-CERN has compiled information which is useful for many EGI sites
-[https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml https://security.web.cern.ch/security/advisories/spectre-meltdown/spectre-meltdown.shtml]
-== Intel Information  ==
-Product patches
-[https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File]
-== RedHat Information  ==
-'''Important! [as of 17th January]'''
-RedHat has announced that they will rollback the microcode_ctl updates by issuing a new package with older microcodes.
-RedHat recommends to contact hardware providers to obtain firmware updates...
-<br>
-RedHat description:
-[https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/security/vulnerabilities/speculativeexecution]
-[https://access.redhat.com/articles/3307751 https://access.redhat.com/articles/3307751 (subscription required)]
-[https://access.redhat.com/solutions/3315431 https://access.redhat.com/solutions/3315431 (subscription required)]
-<br>
-RedHat CVE info: [https://access.redhat.com/security/cve/CVE-2017-5754]
-[https://access.redhat.com/security/cve/CVE-2017-5754 https://access.redhat.com/security/cve/CVE-2017-5754]
-[https://access.redhat.com/security/cve/CVE-2017-5753 https://access.redhat.com/security/cve/CVE-2017-5753]
-[https://access.redhat.com/security/cve/CVE-2017-5715 https://access.redhat.com/security/cve/CVE-2017-5715]
-<br>
-RHEL6:
-kernel-2.6.32-696.18.7.el6: [https://access.redhat.com/errata/RHSA-2018:0008 https://access.redhat.com/errata/RHSA-2018:0008]
-microcode_ctl-1.17-25.2.el6_9: [https://access.redhat.com/errata/RHSA-2018:0013 https://access.redhat.com/errata/RHSA-2018:0013]
-'''Important! [as of 13th January]'''
-There appears to be a bug with the microcode_ctl update for Intel model 79 processors (Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz, Intel(R) Xeon(R) CPU E5-2643 v4 @ 3.40GHz, Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.20GHz and Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.50GHz). The system fails to boot due to udev rules. There is no solution to the problem but to downgrade the microcode_ctl package. For more information, see: https://bugzilla.redhat.com/show_bug.cgi?id=1532283
-https://access.redhat.com/solutions/3314661
-<br> RHEL7:
-kernel-3.10.0-693.11.6.el7: [https://access.redhat.com/errata/RHSA-2018:0007 https://access.redhat.com/errata/RHSA-2018:0007]
-microcode_ctl-2.1-22.2.el7: [https://access.redhat.com/errata/RHSA-2018:0012 https://access.redhat.com/errata/RHSA-2018:0012]
-linux-firmware-20170606-57.gitc990aae.el7_4: [https://access.redhat.com/errata/RHSA-2018:0014 https://access.redhat.com/errata/RHSA-2018:0014]
-<br> qemu-kvm:
-RHEL6:
-qemu-kvm: [https://access.redhat.com/errata/RHSA-2018:0024 https://access.redhat.com/errata/RHSA-2018:0024]
-libvirt: [https://access.redhat.com/errata/RHSA-2018:0030 https://access.redhat.com/errata/RHSA-2018:0030]
-RHEL7:
-qemu-kvm: [https://access.redhat.com/errata/RHSA-2018:0023 https://access.redhat.com/errata/RHSA-2018:0023]
-libvirt: [https://access.redhat.com/errata/RHSA-2018:0029 https://access.redhat.com/errata/RHSA-2018:0029]
-== CentOS Information  ==
-'''Important! [as of 17th January]'''
-Centos seems to be following Redhat in the revert of the microcode_ctl package, see [https://git.centos.org/blob/rpms!microcode_ctl.git/c7/SOURCES!disclaimer the disclaimer in the sources of the last package]:
- This update supersedes microcode provided  by Red Hat with the CVE-2017-5715 (“Spectre”)
- CPU branch injection vulnerability mitigation.  (HIstorically, Red Hat has provided updated
- microcode, developed by our microprocessor partners, as a customer convenience.)  Further
- testing has uncovered problems with the microcode provided along with the “Spectre” mitigation
- that could lead to system instabilities.  As a result, Red Hat is providing an microcode update
- that reverts to the last known good microcode version dated before 03 January 2018.
- Red Hat strongly recommends that customers contact their hardware provider for the latest microcode updates.
- IMPORTANT: Customers using Intel Skylake-, Broadwell-, and Haswell-based platforms must obtain and
- install updated microcode from their hardware vendor immediately. The "Spectre" mitigation requires
- both an updated kernel from Red Hat and updated microcode from your hardware vendor.
-<br>
-CentOS 7:
-* kernel Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022696.html CESA-2018:0007]
-* microcode_ctl Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022697.html CESA-2018:0012] <br> also needs dracut BugFix Update for AMD: [https://lists.centos.org/pipermail/centos-announce/2018-January/022708.html CEBA-2018:0042]
-* linux-firmware Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022698.html CESA-2018:0014]
-* qemu-kvm Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022705.html CESA-2018:0023]
-* libvirt Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022704.html CESA-2018:0029]
-CentOS 6:
-* kernel Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022701.html CESA-2018:0008]
-* microcode_ctl Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022700.html CESA-2018:0013]
-* qemu-kvm Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022702.html CESA-2018:0024]
-* libvirt Security Update: [https://lists.centos.org/pipermail/centos-announce/2018-January/022703.html CESA-2018:0030]
-See further in the centos-announce Security mails for January
-[https://lists.centos.org/pipermail/centos-announce/2018-January/date.html  https://lists.centos.org/pipermail/centos-announce/2018-January/date.html]
-== Some RedHat Linux related issues found ==
-A serious bug in the microcode updates for some Intel CPUs (model 79) as distributed by Redhat (at least for RHEL 6 and derivatives) was found by one site and reported to us.
-This update rendered systems unbootable.
-[https://bugzilla.redhat.com/show_bug.cgi?id=1532283 https://bugzilla.redhat.com/show_bug.cgi?id=1532283]
-[https://access.redhat.com/solutions/3314661 https://access.redhat.com/solutions/3314661]
-== Scientific Linux  ==
-SL6:
-[https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180008-1/]
-SL7:
-[https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/ https://www.scientificlinux.org/category/sl-errata/slsa-20180007-1/]
-<br>
-qemu-kvn:
-SL6:
-qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180024-1/ http://scientificlinux.org/category/sl-errata/slsa-20180024-1/]
-libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180030-1/ http://scientificlinux.org/category/sl-errata/slsa-20180030-1/]
-SL7:
-qemu-kvm: [http://scientificlinux.org/category/sl-errata/slsa-20180023-1/ http://scientificlinux.org/category/sl-errata/slsa-20180023-1/]
-libvirt: [http://scientificlinux.org/category/sl-errata/slsa-20180029-1/ http://scientificlinux.org/category/sl-errata/slsa-20180029-1/]
-== Ubuntu  ==
-[https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown]
-== Xen  ==
-* [https://xenbits.xen.org/xsa/advisory-254.html https://xenbits.xen.org/xsa/advisory-254.html]
-* [https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/ https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/]
-* [https://wiki.xenproject.org/wiki/Xen_Project_Meltdown_and_Spectre_Technical_FAQ https://wiki.xenproject.org/wiki/Xen_Project_Meltdown_and_Spectre_Technical_FAQ]
-* [https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre https://wiki.xenproject.org/wiki/Respond_to_Meltdown_and_Spectre]
-== Other Cloud related  ==
-In order to protect hypervisors from malicious VMs, the kernel, microcode and QEMU must be updated:
-[https://www.qemu.org/2018/01/04/spectre/ https://www.qemu.org/2018/01/04/spectre/]

Difference between revisions of "SVG:Meltdown and Spectre Vulnerabilities"

Revision as of 11:13, 21 October 2021

Meltdown and Spectre Vulnerabilities

Navigation menu

Difference between revisions of "SVG:Meltdown and Spectre Vulnerabilities"

Revision as of 11:13, 21 October 2021

Meltdown and Spectre Vulnerabilities

Navigation menu

Search