Share this post:
In January 2018, three security vulnerabilities were made public that allow unauthorized users to bypass the hardware barrier between applications and kernel memory. These vulnerabilities all make use of speculative execution to perform side-channel information disclosure attacks. The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715, are collectively known as Spectre, and allow user-level code to infer data from unauthorized memory; the third vulnerability, CVE-2017-5754, is known as Meltdown, and allows user-level code to infer the contents of kernel memory.
In May 2018, a fourth variant was identified, CVE-2018-3639. This variant is another instantiation of a side-channel information disclosure attack. All of these identified vulnerabilities are variants of the same class of attacks but differ in the way that speculative execution is exploited.
These vulnerabilities do not allow an external unauthorized party to gain access to a machine, but they could allow a party that has access to the system to access unauthorized data.
If these vulnerabilities pose a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place.
On August 15, 2018, security vulnerabilities codenamed Foreshadow/L1TF (CVE-2018-3620, CVE-2018-3646 and CVE-2018-3615) were announced. Two of the vulnerabilities (CVE-2018-3620 and CVE-2018-3646) could potentially impact Power Systems. The Firmware and OS patches released by IBM in February and March 2018 to address the original Meltdown vulnerability (CVE-2017-5754) also address the L1TF/Foreshadow vulnerability, except for Power 9 Systems running with KVM Hypervisor. OS patch for Power 9 KVM Systems will be made available soon. The Firmware and OS patches for all other Power Systems are available in this blog below.
The third L1TF/Foreshadow vulnerability (CVE-2018-3615) relates to SGX implementation and does not impact the Power Systems.
Mitigation of these vulnerabilities for Power Systems clients involves installing patches to both system firmware and operating systems. Both the firmware and OS patches are required for the mitigation to be effective against these vulnerabilities and the latest firmware and OS patches incorporate mitigations for the fourth variant. These will be available as follows:
We will continue to provide information about these patches via PSIRT and security bulletins.
Clients should review these patches in the context of their datacenter environment and standard evaluation practices to determine if they should be applied.