High Severity

Potential Impact on Processors in the POWER Family

Share this post:

Three security vulnerabilities that allow unauthorized users to bypass the hardware barrier between applications and kernel memory have been made public. These vulnerabilities all make use of speculative execution to perform side-channel information disclosure attacks. The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715, are collectively known as Spectre, and allow user-level code to infer data from unauthorized memory; the third vulnerability, CVE-2017-5754, is known as Meltdown, and allows user-level code to infer the contents of kernel memory. The vulnerabilities are all variants of the same class of attacks but differ in the way that speculative execution is exploited.

These vulnerabilities do not allow an external unauthorized party to gain access to a machine, but they could allow a party that has access to the system to access unauthorized data.

If these vulnerabilities pose a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place.

Mitigation of these vulnerabilities for Power Systems clients involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to these vulnerabilities and is a pre-requisite for the OS patch to be effective. These will be available as follows:

  • Firmware patches for POWER7, POWER7+, POWER8 and POWER9 platforms are now available via FixCentral.

    • Linux operating systems patches are now available through our Linux distribution partners Red Hat, SUSE and Canonical.
    • IBM i operating system patches are now available via FixCentral.
    • AIX patches are now available via AIX Security .
  • Consistent with previously announced end of service, IBM will not be releasing patches for POWER4, POWER5, POWER6 systems and recommends migrating to a more current generation of POWER technology. We are committed to helping our clients address these vulnerabilities and have introduced an offer for pre-POWER7 clients to upgrade their security profile and protect against Spectre and Meltdown through the purchase of POWER8 or POWER9 systems and available migration services, security support, and financing offers.
  • Information about generations prior to POWER4 will be communicated on an as-needed basis.

We will continue to provide information about these patches via PSIRT and security bulletins.

Clients should review these patches in the context of their datacenter environment and standard evaluation practices to determine if they should be applied.

More High Severity stories

Spectrum Scale and Elastic Storage Server System Interoperability Matrix

Feb 16, 2018 9:20 pm EST | High Severity

The following OS levels have been tested and are supported for use with the core Spectrum Scale file system: Operating systems for Intel based servers Kernel level Spectrum Scale Releases Supported Spectrum Scale Interoperability Patch RHEL 7.4 kernel level 3.10.0-693.11.6.el7.x86_64 4.1.1, 4.2.3, 5.0.0 Not Applicable RHEL 7.3 kernel level 3.10.0-514.36.5.el7.x86_64 4.1.1, 4.2.3, 5.0.0 Not Applicable ...read more

IBM Cloud Security Bulletin Spectre and Meltdown Vulnerabilities

Feb 15, 2018 3:26 pm EST | High Severity

Security Update On Wednesday, January 3, researchers announced a security vulnerability known as Spectre and Meltdown. On the IBM Cloud, available vendor patches have been applied. These vendor patches across different layers, e.g. firmware, hypervisors, operating systems, software and driver vendors, etc. are regularly being monitored, tested and applied as they become available. The security ...read more

Potential CPU Security Issue

Feb 10, 2018 5:02 pm EST | High Severity

On Wednesday, January 3, researchers announced a security vulnerability impacting microprocessors.  IBM is working with our clients and industry partners on this issue, which has the potential to affect many types of computing devices from different manufacturers. It’s important to note there are no known cases where this vulnerability has been used maliciously. Patches will be ...read more