High Severity

Potential Impact on Processors in the POWER Family

Share this post:

In January 2018, three security vulnerabilities were made public that allow unauthorized users to bypass the hardware barrier between applications and kernel memory. These vulnerabilities all make use of speculative execution to perform side-channel information disclosure attacks. The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715, are collectively known as Spectre, and allow user-level code to infer data from unauthorized memory; the third vulnerability, CVE-2017-5754, is known as Meltdown, and allows user-level code to infer the contents of kernel memory.

In May 2018, a fourth variant was identified, CVE-2018-3639. This variant is another instantiation of a side-channel information disclosure attack. All of these identified vulnerabilities are variants of the same class of attacks but differ in the way that speculative execution is exploited.

These vulnerabilities do not allow an external unauthorized party to gain access to a machine, but they could allow a party that has access to the system to access unauthorized data.

If these vulnerabilities pose a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place.

Mitigation of these vulnerabilities for Power Systems clients involves installing patches to both system firmware and operating systems. Both the firmware and OS patches are required for the mitigation to be effective against these vulnerabilities and the latest firmware and OS patches incorporate mitigations for the fourth variant. These will be available as follows:

  • Firmware patches for POWER7, POWER7+, POWER8 and POWER9 platforms are now available via FixCentral.

    • Linux operating systems patches are now available through our Linux distribution partners Red Hat, SUSE and Canonical.
    • IBM i operating system patches are now available via FixCentral.
    • AIX patches are now available via AIX Security .
  • Consistent with previously announced end of service, IBM will not be releasing patches for POWER4, POWER5, POWER6 systems and recommends migrating to a more current generation of POWER technology. We are committed to helping our clients address these vulnerabilities and have introduced an offer for pre-POWER7 clients to upgrade their security profile and protect against Spectre and Meltdown through the purchase of POWER8 or POWER9 systems and available migration services, security support, and financing offers.
  • Information about generations prior to POWER4 will be communicated on an as-needed basis.

We will continue to provide information about these patches via PSIRT and security bulletins.

Clients should review these patches in the context of their datacenter environment and standard evaluation practices to determine if they should be applied.

More High Severity stories

IBM Security Bulletin: Denial of service vulnerability affects IBM Unified Extensible Firmware Interface (CVE-2017-5703)

Jul 19, 2018 9:01 am EDT | High Severity

IBM System x, Flex and BladeCenter systems have addressed the following denial of service vulnerability in Unified Extensible Firmware Interface (UEFI). CVE(s): CVE-2017-5703 Affected product(s) and affected version(s): Product Affected Version BladeCenter HS23 7875/1929 tke1 BladeCenter HS23E 8038/8039 ahe1 Flex System x220 2585/7906 kse1 Flex System x222 7916 cce1 Flex System x240 7863/8737/8738/8956 b2e1 Flex ...read more

IBM Security Bulletin: Information Disclosure in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2018-1621

Jul 19, 2018 9:01 am EDT | Medium Severity

A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center). There is a potential Information disclosure vulnerability in WebSphere Application Server. IBM Spectrum Control has addressed the applicable CVE. CVE(s): CVE-2018-1621 Affected product(s) and affected version(s): Affected Product Affected Versions IBM Tivoli Storage Productivity Center 5.2.0 – IBM ...read more

IBM Security Bulletin: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting (CVE-2018-1563, CVE-2018-1513)

Jul 19, 2018 9:01 am EDT | Medium Severity

IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. CVE(s): CVE-2018-1563, CVE-2018-1513 Affected product(s) and affected version(s): IBM Sterling B2B Integrator – Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=ibm10717031X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/142967X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/141551 ...read more