Side Channel Vulnerability
'Meltdown' and 'Spectre' Information
There are indications that the Meltdown vulnerability is exclusive to Intel processors, while the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors. Procedures are available to help protect devices from the Meltdown and Spectre security vulnerabilities.
Intel released a noteworthy article on January 22, 2018: Root Cause of Reboot Issue Identified; Updated Guidance for Customer and Partners
It is strongly recommended that baseline performance testing is conducted prior to applying patches to production as performance may be impacted.
Vendors and manufacturers have provided the below information and/or mitigation solutions to address vulnerabilities.
Updates have been released for Apple iOS High Sierra, and Safari on Sierra and El Capitan to help defend against Spectre. Further information is available at: https://support.apple.com/en-us/HT208394
Amazon Web Services (AWS) is aware of the issue described in CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All instances across the Amazon EC2 fleet are protected from all known threat vectors from the CVEs previously listed. Customers’ instances are protected against these threats from other instances. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads. We will keep customers apprised of additional information with updates to our security bulletin, which can be found here.
More information on these bulletins are available at the Amazon Linux AMI Security Center.
- The Cisco Security Vulnerability site that will provide on-going, updated information regarding Cisco’s response to this issue: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
- Amp and End Points Product: https://supportforums.cisco.com/t5/sourcefire-documents/cisco-amp-for-endpoints-compatibility-with-windows-security/ta-p/3306874
DELL & EMC
DELL is working diligently with Intel and others in the industry to address the issue, and recommend you bookmark the following pages where the latest information on affected Dell / Dell EMC products including BIOS updates will be published as they are available.
- Dell Client
- Dell Enterprise (Dell Servers, Storage and Networking)
- RSA (customer login required)
- Dell EMC Storage & Data Protection (customer login required)
- Dell EMC CPSD (customer login required)
There is a great volume of inaccurate information on the web. Dell recommends that customers secure appropriate details from industry standard sources such as MITRE and NIST. Source information regarding the two vulnerabilities from the researchers at Graz University of Technology (links for abstracts Spectre and Meltdown) are provided below.
- NIST (https://nvd.nist.gov/vuln/detail/CVE-2017-5715)
- Mitre (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5715)
- NIST (https://nvd.nist.gov/vuln/detail/CVE-2017-5753)
- Mitre (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5753)
Extreme has published Vulnerability Notices to provide information on two issues known as Meltdown and Spectre.
F5 – K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
First and foremost, there is no exposure on BIG-IP products by way of the data plane. All exposure is limited to the control plane (also known as the management plane).
Furthermore, on the control plane, the vulnerabilities are exploitable only by four authorized, authenticated account roles: Administrator, Resource Administrator, Manager, and iRules Manager. You must be authorized to access the system in one of these roles to even attempt to exploit the vulnerabilities.
All three vulnerabilities require an attacker who can provide and run binary code of their choosing on the BIG-IP platform.
These conditions severely restrict the exposure risk of BIG-IP products.
F5 continues to investigate the impact of the Spectre and Meltdown vulnerabilities on their products. F5 is focused on providing patched releases as soon as they have fully tested and verified fixes. F5 will update this article with the most current information as soon as it is confirmed.
For more information please review this webpage – https://support.f5.com/csp/article/K91229003
For additional questions or concerns please feel free to call F5 support at 1-888-882-7535, or F5 Account Manager Tony Ganzer at (916) 837-7007 or firstname.lastname@example.org, or F5 SE Chas Lesley at (916) 698-3375 or email@example.com. You can also open a support ticket at https://support.f5.com/csp/my-support/home.
On 3 January 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE Storage products, potentially leading to information disclosure and elevation of privilege. Product specific mitigation steps will be available through the HPE Support Center when available.
Determine if you have a storage system that is impacted by this vulnerability. HPE is maintaining a list of impacted products on the HPE vulnerability website.
The latest information from IBM on status and actions. This blog contains links to the product specific sites that articulate support activities.
- Intel Press Release: https://newsroom.intel.com/press-kits/security-exploits-intel-products/
- Intel facts about side-channel analysis and Intel Products: https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html or http://intel.ly/2EU2sBS
- Security Center Update: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Full Juniper Networks advisory to date: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842
State agencies that are Juniper customers that have questions / concerns can contact State of CA Juniper account team or JTAC directly. Juniper Account Manager, Michelle Oushakoff, (916) 549-3713 or firstname.lastname@example.org. Juniper Technical Support Phone#: 1-888-314-5822 (toll free, US & Canada)
Juniper customers can get regular and out-of-cycle security advisories specific to Juniper solutions by subscribing with their Juniper support credentials here: https://www.juniper.net/customers/support/
- The McAfee labs group has written a blog that may be of more general interest: https://securingtomorrow.mcafee.com/mcafee-labs/decyphering-the-noise-around-meltdown-and-spectre/
- Overall compatibility page: https://kc.mcafee.com/corporate/index?page=content&id=KB90167
- Any users of ENS 10.0.2 or later have been automatically fixed as of the 1/10/18 DAT. For earlier versions or manual instructions, see: https://kc.mcafee.com/corporate/index?page=content&id=KB90180
- Security Advisory 180002 – Vulnerability in CPU Microcode Could Allow Information Disclosure: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
- KB 4072699 – Important Information regarding the Windows Security Updates Released January 2018 (A/V): https://support.microsoft.com/help/4072699
- KB 4073229 – Protect your device against the recent chip-related security vulnerability: https://support.microsoft.com/help/4073229
- KB 4073119 – Windows Client Guidance for IT Pros to protect against the speculative execution side-channel vulnerabilities: https://support.microsoft.com/help/4073119
- KB 4072698 – Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities: https://support.microsoft.com/help/4072698
- KB 4073235 – Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities: https://support.microsoft.com/help/4073235
- KB 4073065 – Surface Guidance for Customers and Partners “Protect your devices against the recent chip-related security vulnerability”: https://support.microsoft.com/help/4073065
- KB 4073225 – Guide to protect SQL Server against speculative execution side-channel vulnerabilities https://support.microsoft.com/en-gb/help/4073225/guidance-for-sql-server
The upcoming patch release dates are publicly published here: https://www.oracle.com/technetwork/topics/security/whatsnew/index.html
A short video about how to access My Oracle Support is located in this video: https://videohub.oracle.com/media/My+Oracle+Support+Introduction/1_kxsm9sl3/66434132
More detailed instructions about using Oracle Support are available after logging in this video: ttps://support.oracle.com/epmos/faces/DocumentDisplay?id=1543719.1