Ubuntu Wiki

Information Leak via speculative execution side channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 aka Spectre and Meltdown)

It was discovered that a new class of side channel attacks impact most processors, including processors from Intel, AMD, and ARM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory. To address the issue, updates to the Ubuntu kernel and processor microcode will be needed. These updates will be announced in future Ubuntu Security Notices once they are available.

Status

Mitigations have been released for the following packages:

Meltdown (CVE-2017-5754) kernel fixes have landed for the amd64 architecture:

Spectre (CVE-2017-5715, CVE-2017-5753) fixes have not been released yet.

Timeline

• 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA
• 2017 Nov 20: the CRD is established as 2018-01-09
• 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products

• 2018 Jan 03: issue becomes public a few days before the CRD

• 2018 Jan 04: Canonical publicly communicates the planned update schedule

• 2018 Jan 04: Mozilla releases timing attack mitigations

• 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1

• 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:

  Package	Version	Series
  linux	4.4.0-108.131	Xenial 16.04
  linux	4.13.0-25.29	Artful 17.10
  linux-aws	4.4.0-1048.57	Xenial 16.04
  linux-aws	4.4.0-1010.10	Trusty 14.04
  linux-azure	4.13.0-1005.7	Xenial 16.04
  linux-euclid	4.4.0-9022.23	Xenial 16.04
  linux-gcp	4.13.0-1006.9	Xenial 16.04
  linux-hwe-edge	4.13.0-25.29~16.04.1	Xenial 16.04
  linux-kvm	4.4.0-1015.20	Xenial 16.04
  linux-lts-xenial	4.4.0-108.131~14.04.1	Trusty 14.04
  linux-oem	4.13.0-1015.16	Xenial 16.04

• 2018 Jan 09: NVIDIA driver updates published, see USN-3521-1

• 2018 Jan 09: Ubuntu kernel updates are made available in USN 3522-1 (Ubuntu 16.04 LTS), USN 3523-1 (Ubuntu 17.10), USN 3522-2 (Ubuntu 14.04 LTS (HWE)), and USN-3524-1 (Ubuntu 14.04 LTS).

• 2018 Jan 09: Notification issued for livepatch users to reboot after applying kernel update.

• Cloud images are available for download from http://cloud-images.ubuntu.com for the following releases:

  Release	Serial
  trusty	20180110
  xenial	20180109
  artful	20180109

  • As release images are published in clouds many are indexed @ https://cloud-images.ubuntu.com/locator/ This tool can be used to find images with the above serials, or later, with applicable fixes.

• <TBD>: Core image updates

CVE Tracker

• Spectre - CVE-2017-5715

• Spectre - CVE-2017-5753

• Meltdown - CVE-2017-5754

Note

The original coordinated disclosure date was planned for January 9 and we have been driving toward that date to release fixes. Due to the early disclosure, we are trying to accelerate the release, but we don't yet have an earlier ETA when the updates will be released. We will release Ubuntu Security Notices when the updates are available.

This article will be updated periodically with new information as it becomes available until the issue has been resolved.

Ubuntu 17.04 and 4.10 HWE early end of life

• Ubuntu 17.04's note that it will not be getting the Meltdown/Spectre fixes.

• The Rolling HWE kernel for Ubuntu 16.04 will go to 4.13 early, instead of also fixing 4.10 HWE kernel.