Differences between revisions 3 and 4
Revision 3 as of 2018-02-15 19:11:27
Size: 2043
Editor: ?OlaLundqvist
Comment:
Revision 4 as of 2018-02-15 19:19:01
Size: 2299
Editor: ?OlaLundqvist
Comment:
Deletions are marked like this. Additions are marked like this.
Line 25: Line 25:

=== Related information ====

Redhat has released [[https://access.redhat.com/security/vulnerabilities/speculativeexecution|good information]] that describe the issue further. Most information in this article is applicable to Debian wheezy as well.

Information leak via speculative execution side channel attacks

In January 2018, security researchers announced a new class of side channel attacks that impact most processors, including processors from Intel, AMD, ARM and IBM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory.

To address the issue in Debian, updates to the kernel, processor microcode, hypervisor, and various other userspace packages will be needed. These updates are being announced in Debian Long Term Security Announcements as they are available.

There are three separate vulnerabilities involved:

CVE-2017-5753 Spectre Variant 1, Bounds Check Bypass

CVE-2017-5715 Spectre Variant 2, Branch Target Injection

CVE-2017-5754 Meltdown Variant 3, Rogue Data Cache Load

The Spectre and Meltdown vulnerabilities have varying impacts in different environments, and the mitigations available can be difficult to understand. We've prepared a Technical FAQ to help answer many common questions.

This article will be updated periodically with new information as it becomes available, until the issues have been resolved.

Notes

Spectre Variant 2 can be exploited both locally (within the same OS) and through the virtualization guest boundary. Fixes require CPU microcode/firmware to activate. Subscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor.

Current Status

As announced in DLA-1232-1 Meltdown (CVE-2017-5754) has been fixed in the Linux kernel for 64 bit architecture. There is currently no known fix for 32 bit architecture.

=== Related information ====

Redhat has released good information that describe the issue further. Most information in this article is applicable to Debian wheezy as well.