IBM Support

Spectre Meltdown Vulnerability

Troubleshooting


Problem

An industry-wide issue was found with the manner in which many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. All three rely upon the fact that modern high performance microprocessors implement both speculative execution, and utilize VIPT (Virtually Indexed, Physically Tagged) level 1 data caches that may become allocated with data in the kernel virtual address space during such speculation.

Variant #1 (CVE-2017-5753) and Variant #2 (CVE-2017-5715)  : The first two variants abuse speculative execution to perform bounds-check bypass (CVE-2017-5753), or by utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively. Collectively these are known as "Spectre".  
 

Variant #3 (CVE-2017-5754) : The third variant (CVE-2017-5754) relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. 

Variant #4 (CVE-2018-3639) : The vulnerability was discovered in modern microprocessors, whereby an unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory. To fully mitigate this vulnerability, system administrators must apply both hardware “microcode” updates and software patches that enable new functionality.

Resolving The Problem

Upgrade to PDA-OS latest release to resolve this issue completely - PDA-OS-Security-RHx-2018-06 *.

Resolved Variants in PDA-OS-2018-06 release :

  • RHEL 5 : Variant 1, 2 and 3 are resolved in PDA OS security patch PDA-OS-2018-06

Variant 4 not yet resolved as fix is not available by 3rd party yet. - CVE-2018-3639

The OSCAP report will list the RHSA's related to CVE-2017-5753, CVE-2017-5715, nor CVE-2017-5754 (variant 1,2,3) - RHSA-2018:0292-01 and RHSA-2018:1196-01.

Verification - The  3rd-party supplied vulnerability checker script will report a patched RHEL 5 system

"Not Vulnerable" for all variants.

 

  • RHEL 6 : Variant 1, 2 and 3 are resolved in PDA OS security patch PDA-OS-2018-06

The OSCAP report will list the RHSA related to CVE-2017-5753, CVE-2017-5715, nor CVE-2017-5754 (variant 1,2,3) - RHSA-2018:0512-01.

Verification - The  3rd-party supplied vulnerability checker script will report a patched RHEL 6 system

"Not Vulnerable" for all variants.

Variant 4 (CVE-2018-3639) is not yet completely resolved as microcode update is not yet available from 3rd party. A corrective microcode update will be released at a future date.

(*: RHx - x refers to 5 or 6 depending on RHEL version of the system where upgrade is being performed )

 

---------------------------------------
IMPORTANT Enhancement
---------------------------------------

Following modules have been added in RHEL 6 PDA-OS-Security to resolve 
Spectre/Meltdown CVE-2017-5715 (variant #2) :
kmod-elx-lpfc (N2001, N2002, N3001)
kmod-mpt3sas (N3001-001)

3rd-party supplied vulnerability checker script will report a RHEL 6 system 
"Vulnerable" for CVE-2017-5715 (variant #2) if these modules are not updated.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSULQD","label":"IBM PureData System"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
17 October 2019

UID

ibm10725527