SpectreAndMeltdown

Differences between revisions 23 and 24
Revision 23 as of 2018-01-11 23:15:53
Size: 6812
Editor: emilyr
Comment:
Revision 24 as of 2018-01-12 01:03:18
Size: 6468
Editor: emilyr
Comment: removed outdated note
Deletions are marked like this. Additions are marked like this.
Line 69: Line 69:
The original coordinated disclosure date was planned for January 9 and we have been driving toward that date to release fixes. Due to the early disclosure, we are trying to accelerate the release, but we don't yet have an earlier ETA when the updates will be released. We will release Ubuntu Security Notices when the updates are available.

Information Leak via speculative execution side channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 aka Spectre and Meltdown)

It was discovered that a new class of side channel attacks impact most processors, including processors from Intel, AMD, and ARM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory. To address the issue, updates to the Ubuntu kernel and processor microcode will be needed. These updates will be announced in future Ubuntu Security Notices once they are available.

Status

Mitigations have been released for the following packages:

Firefox

USN-3516-1

WebKitGTK+

USN-3530-1

NVIDIA graphics drivers

USN-3521-1

intel-microcode

USN-3531-1

Meltdown (CVE-2017-5754) kernel fixes have landed for the amd64 architecture:

Ubuntu version

Kernel Version

Variant

USN

17.10

4.13

generic/lowlatency

USN-3523-1

16.04 LTS

4.13 HWE

generic/lowlatency/gke/gcp/oem/azure/lpae

USN-3523-2

16.04 LTS

4.4

generic/lowlatency/euclid/aws/kvm

USN-3522-3

14.04 LTS

4.4 HWE

generic/lowlatency/aws

USN-3522-4

14.04 LTS

3.13

generic/lowlatency

USN-3524-1

12.04 ESM

3.13 HWE

generic

USN-3524-2

12.04 ESM

3.2

generic

USN-3525-1

Spectre (CVE-2017-5715, CVE-2017-5753) fixes have not been released yet.

Timeline

  • 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA
  • 2017 Nov 20: the CRD is established as 2018-01-09
  • 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products
  • 2018 Jan 03: issue becomes public a few days before the CRD

  • 2018 Jan 04: Canonical publicly communicates the planned update schedule

  • 2018 Jan 04: Mozilla releases timing attack mitigations

  • 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1

  • 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:

    Package

    Version

    Series

    linux

    4.4.0-108.131

    Xenial 16.04

    linux

    4.13.0-25.29

    Artful 17.10

    linux-aws

    4.4.0-1048.57

    Xenial 16.04

    linux-aws

    4.4.0-1010.10

    Trusty 14.04

    linux-azure

    4.13.0-1005.7

    Xenial 16.04

    linux-euclid

    4.4.0-9022.23

    Xenial 16.04

    linux-gcp

    4.13.0-1006.9

    Xenial 16.04

    linux-hwe-edge

    4.13.0-25.29~16.04.1

    Xenial 16.04

    linux-kvm

    4.4.0-1015.20

    Xenial 16.04

    linux-lts-xenial

    4.4.0-108.131~14.04.1

    Trusty 14.04

    linux-oem

    4.13.0-1015.16

    Xenial 16.04

  • 2018 Jan 09: NVIDIA driver updates published, see USN-3521-1

  • 2018 Jan 09: Ubuntu kernel updates are made available in USN 3522-1 (Ubuntu 16.04 LTS), USN 3523-1 (Ubuntu 17.10), USN 3522-2 (Ubuntu 14.04 LTS (HWE)), and USN-3524-1 (Ubuntu 14.04 LTS).

  • 2018 Jan 09: Notification issued for livepatch users to reboot after applying kernel update.

  • 2017 Jan 11: Updates to the intel-microcode package were released, see see USN-3531-1

  • <TBD>: Core image updates

Cloud Images

CVE Tracker

Note

This article will be updated periodically with new information as it becomes available until the issue has been resolved.

Ubuntu 17.04 and 4.10 HWE early end of life

SecurityTeam/KnowledgeBase/SpectreAndMeltdown (last edited 2019-10-15 22:59:54 by dannf)