From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


Title:       EGI SVG 'ADVISORY' **UPDATE 2** [TLP:WHITE] 'CRITICAL' risk processor vulnerabilities - Meltdown and Spectre

Date:        2018-01-03
Updated:     2018-01-04, 2018-01-11, 2018-01-23

**UPDATED 2018-01-23**: Deadline for CVE-2017-5754 & CVE-2017-5753 mitigation

Affected software and risk

'CRITICAL' risk vulnerabilities concerning processors in common usage,
including  Intel.

Package : Intel and other processors
CVE ID  : CVE-2017-5754 - Meltdown(Variant 3) -  Only affects Intel chips.
        : CVE-2017-5753 - Spectre(Variant 1) - Affects wide range of chips
        : CVE-2017-5715 - Spectre(Variant 2) - Affects wide range of chips

Actions required/recommended

This advisory is under constant revision, links to detailed public information
and patches are being published on the EGI SVG wiki at [R 1] as soon as they
are available to us. Please check frequently.

Meltdown(Variant 3) and Spectre(Variant 1): All sites MUST update their kernel
and reboot before 9am (CET) Tuesday morning next week (30th January),
Priority should be given to services with direct user access, like
ssh-gateways, user interfaces (UIs), VOBoxs, WorkerNodes (WNs).
Failure to update within this time-frame will be followed-up as per our
Critical Vulnerability Handling [R 3].

Spectre(Variant 2): Given the instabilities reported by Intel on its own
microcode [R 4] and RedHat removing said microcodes from its packages, there
is currently no known and simple supported mitigation for this vulnerabilty.
Sites are encouraged to follow closely updates from their software and
hardware vendors, who might be releasing specific updates.


** WHITE information - Unlimited distribution - see for distribution restrictions **



Comments or questions should be sent to svg-rat  at

If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to

report-vulnerability at

the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 2]

Note that this has been updated and the latest version approved by the
Operations Management Board in November 2017


[R 1]

[R 2]

[R 3]

[R 4]


Raul Lopes from Brunel alerted the UK security discussion list, which included
members of the EGI SVG.

Yyyy-mm-dd  [EGI-SVG-2018-13959]

2018-01-03 SVG alerted to this issue by Raul Lopes
2018-01-03 Not enough information to fully assess, but potentially critical
2018-01-03 Decided to send 'Heads up' and drafted
2018-01-03 'Heads Up' sent to sites
2018-01-04 Patches available for most linux systems
2018-01-04 Advisory sent to sites
2018-01-09 Advisory updated - to temporarily remove deadline
           and link to wiki for more information
2018-01-23 Advisory updated - to distinguish between Meltdown, Spectre(1),
           Spectre(2) and specify action in each case
2018-02-02 Advisory changed to TLP:WHITE and placed on wiki 


This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 5]  
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, w
e do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending 
on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI Software Vulnerability Group