## -*- mode: moinmoin -*-
## eg '== GNU C Library buffer overflow in __nss_hostname_digits_dots() (CVE-2015-0235 aka GHOST) =='
== Branch History Injection Microarchitectural flaws [CVE-2022-0001 (Intel), CVE-2022-0002 (Intel), CVE-2022-23960 (ARM)] ==

## Description. Should contain a high level description and optional low level description along with how the vulnerability can be exploited and the result of exploitation

It was
[[ https://www.vusec.net/projects/bhi-spectre-bhb/ | discovered]]
that certain processor internals can be manipulated by
unprivileged user processes such that indirect calls in kernel space
speculatively execute 'gadgets' that will disclose private information.

So far, such attacks have only been demonstrated to be feasible with
eBPF, such that Intel recommends disabling unprivileged eBPF and keep
running with eIBRS. There is no need to reboot in order to disable
unprivileged eBPF; re-enabling eBPF will require a reboot for 5.11
kernels and earlier.

Processors that use retpoline by default (because they do not
support eIBRS) have not been shown to be vulnerable to this attack.

As other potential attacks may be possible in the future, the use of
retpoline is one of the possible mitigations. However, its use alone on
some processors that supported eIBRS is not recommended because those
processors may use other predictors when the RSB is empty. So, a patch
has been added that allows users to use eIBRS + retpoline, by booting
with the command line option {{{spectre_v2=eibrs+retpoline}}}. As retpoline
has a performance impact, this was not made the default, so users who
are concerned about potential attacks should reboot with this option.

Setting kernel command line options can be performed by editing
{{{/etc/default/grub}}}, setting {{{GRUB_CMDLINE_LINUX_DEFAULT}}} as
appropriate, and running {{{update-grub}}} afterwards.

Ubuntu is releasing updated kernels that disable unprivileged eBPF
by default to address these and other security issues. Admins can
re-enable if needed it via:

{{{
$ sudo sysctl kernel.unprivileged_bpf_disabled=0
}}}

Admins can disable unprivileged eBPF until the next boot via:

{{{
$ sudo sysctl kernel.unprivileged_bpf_disabled=1
}}}

Admins can disable it, but allow it to be re-enabled by an admin without
rebooting, via:

{{{
$ sudo sysctl kernel.unprivileged_bpf_disabled=2
}}}

To see the current status of unprivileged eBPF, do:

{{{
$ sysctl kernel.unprivileged_bpf_disabled
}}}

A result value of '''1''' or '''2''' indicates that unprivileged eBPF is
disabled. When unprivileged eBPF is disabled, a process must have {{{CAP_SYS_ADMIN}}}
(on Ubuntu 5.4.x and older kernels) or at least one of {{{CAP_SYS_ADMIN}}} and
{{{CAP_BPF}}} (on Ubuntu 5.15.x and newer kernels)
capability in order to call the {{{bpf(2)}}} systemcall.

Unprivileged eBPF has been disabled by default, but could be re-enabled
by an admin via sysctl, in Ubuntu since the introduction of 5.13 and
newer kernels in Ubuntu 21.10 and Ubuntu 20.04.4 LTS hardware
enablement (HWE) kernels. Support for disabling unprivileged eBPF with
the possibility of re-enabling without a reboot has been backported
to the 5.4, 4.15, and 4.4 kernels as well as made the default setting
as of 2022-03-08.

==== References ====

 * VUSec advisory with link to research paper:
   https://www.vusec.net/projects/bhi-spectre-bhb/
 * Intel advisory:
   https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
 * Intel guidance
   https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html
 * Intel blog post:
   https://community.intel.com/t5/Blogs/Products-and-Solutions/Security/Chips-Salsa-Episode-12-March-2022-Security-Advisories/post/1365250
 * ARM advisory:
   https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb
 * ARM whitepaper (linked from advisory):
   https://developer.arm.com/-/media/Arm%20Developer%20Community/PDF/Security%20Update%2008%20March%202022/Spectre-BHB%20White%20Paper%20v1.6.pdf
 * ARM knowledge base article:
   https://developer.arm.com/documentation/ka004995/latest/
 * Linux kernel {{{unprivileged_bpf_disabled}}} sysctl configuration documentation:
   https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled
 * Linux kernel {{{spectre_v2}}} boot paramater documentation:
   https://docs.kernel.org/admin-guide/kernel-parameters.html

## Versions section should include:
## - version fixed in upstream
## - version first introduced in upstream (if applicable)
## - version fixed in Ubuntu
## - reference to the USN

==== Updates ====

Ubuntu users are recommended to update to the latest kernel. The
majority of users should ensure that the following kernel packages are
installed:

|| '''Ubuntu Release''' || '''Base Kernel''' || '''Hardware Enablement (HWE) Kernel''' ||
|| 21.10                || [[ https://launchpad.net/ubuntu/+source/linux/5.13.0-35.40 | linux-image-5.13.0-35-generic 5.13.0-35.40 ]] || N/A ||
|| 20.04 LTS            || [[ https://launchpad.net/ubuntu/+source/linux/5.4.0-104.118 | linux-image-5.4.0-104-generic 5.4.0-104.118 ]] || [[ https://launchpad.net/ubuntu/+source/linux-hwe-5.13/5.13.0-35.40~20.04.1 | linux-image-5.13.0-35-generic 5.13.0-35.40~20.04.1 ]] ||
|| 18.04 LTS            || [[ https://launchpad.net/ubuntu/+source/linux/4.15.0-171.180 | linux-image-4.15.0-171-generic 4.15.0-171.180 ]] || [[ https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-104.118~18.04.1 | linux-image-5.4.0-104-generic 5.4.0-104.118~18.04.1 ]] ||
|| 16.04 ESM || {{{linux-image-4.4.0-221-generic}}} 4.4.0-221.254  || {{{linux-image-4.15.0-171-generic}}} 4.15.0-171.180~16.04.1 ||
|| 14.04 ESM            || Not affected - 3.13 kernel does not support unprivileged eBPF || {{{linux-image-4.4.0-221-generic}}} 4.4.0-221.254~14.04.1 ||

Kernels derived from the above (e.g. cloud specific kernels) are also receiving the corresponding updates.

## Timeline. Should include at a minimum:
## - when Ubuntu was notified
## - when USN was issued

==== Timeline ====
 * 2022 Mar 08: VUsec makes their findings public
 * 2022 Mar 08: Ubuntu publishes the following USNs:
   * [[ https://ubuntu.com/security/notices/USN-5317-1 | USN 5317-1 ]] for 5.13 and 5.14 based kernels / Ubuntu 20.04, Ubuntu 21.10
   * [[ https://ubuntu.com/security/notices/USN-5318-1 | USN 5318-1 ]] for 5.4 based kernels / Ubuntu 20.04 LTS, Ubuntu 18.04 LTS
   * [[ https://ubuntu.com/security/notices/USN-5319-1 | USN 5319-1 ]] for 4.15 and 4.4 based kernels / Ubuntu 18.04 LTS, Ubuntu 16.04 ESM, Ubuntu 14.04 ESM
 * 2022 Mar 09: Updated Ubuntu cloud images became available

## <INCLUDE THIS SECTION IF NEW PUBLIC RELEASES FOR CLOUD IMAGES ARE NEEDED>
==== Public Cloud Image updates ====
 * Amazon AWS: 20220308 or newer
 * Windows Azure: 20220308 or newer
 * Google Compute Engine: 20220308 or newer
 * Ubuntu Core Images: 20220308 or newer

Cloud Images dailies will start appearing within 4 hours of the USN announcement. At the direction of the security team, the Cloud Image Team will start manually releasing new images to the public cloud.