SVG:Advisory-SVG-CVE-2017-5753

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members

Advisory-SVG-CVE-2017-5753


Title:       EGI SVG 'ADVISORY' **UPDATE 2** [TLP:WHITE] 'CRITICAL' risk processor vulnerabilities - Meltdown and Spectre

Date:        2018-01-03
Updated:     2018-01-04, 2018-01-11, 2018-01-23

**UPDATED 2018-01-23**: Deadline for CVE-2017-5754 & CVE-2017-5753 mitigation

Affected software and risk
==========================

'CRITICAL' risk vulnerabilities concerning processors in common usage,
including  Intel.

Package : Intel and other processors
CVE ID  : CVE-2017-5754 - Meltdown(Variant 3) -  Only affects Intel chips.
        : CVE-2017-5753 - Spectre(Variant 1) - Affects wide range of chips
        : CVE-2017-5715 - Spectre(Variant 2) - Affects wide range of chips


Actions required/recommended
============================

This advisory is under constant revision, links to detailed public information
and patches are being published on the EGI SVG wiki at [R 1] as soon as they
are available to us. Please check frequently.

Meltdown(Variant 3) and Spectre(Variant 1): All sites MUST update their kernel
and reboot before 9am (CET) Tuesday morning next week (30th January),
2018/01/30T09:00:00+01:00.
Priority should be given to services with direct user access, like
ssh-gateways, user interfaces (UIs), VOBoxs, WorkerNodes (WNs).
Failure to update within this time-frame will be followed-up as per our
Critical Vulnerability Handling [R 3].

Spectre(Variant 2): Given the instabilities reported by Intel on its own
microcode [R 4] and RedHat removing said microcodes from its packages, there
is currently no known and simple supported mitigation for this vulnerabilty.
Sites are encouraged to follow closely updates from their software and
hardware vendors, who might be releasing specific updates.


TLP and URL
===========

** WHITE information - Unlimited distribution - see
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2017-5753    

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 2]

Note that this has been updated and the latest version approved by the
Operations Management Board in November 2017


References
==========

[R 1] https://wiki.egi.eu/wiki/SVG:Meltdown_and_Spectre_Vulnerabilities

[R 2] https://documents.egi.eu/public/ShowDocument?docid=3145

[R 3] https://wiki.egi.eu/wiki/SEC03

[R 4]
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Credit
======

Raul Lopes from Brunel alerted the UK security discussion list, which included
members of the EGI SVG.


Timeline
========
Yyyy-mm-dd  [EGI-SVG-2018-13959]

2018-01-03 SVG alerted to this issue by Raul Lopes
2018-01-03 Not enough information to fully assess, but potentially critical
2018-01-03 Decided to send 'Heads up' and drafted
2018-01-03 'Heads Up' sent to sites
2018-01-04 Patches available for most linux systems
2018-01-04 Advisory sent to sites
2018-01-09 Advisory updated - to temporarily remove deadline
           and link to wiki for more information
2018-01-23 Advisory updated - to distinguish between Meltdown, Spectre(1),
           Spectre(2) and specify action in each case
2018-02-02 Advisory changed to TLP:WHITE and placed on wiki 

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 5]  
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, w
e do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending 
on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export