SpectreAndMeltdown

Differences between revisions 43 and 44
Revision 43 as of 2018-01-22 16:37:45
Size: 9713
Editor: tyhicks
Comment:
Revision 44 as of 2018-01-22 18:35:41
Size: 9806
Editor: bryanquigley
Comment: intel posted a public update so bring back link
Deletions are marked like this. Additions are marked like this.
Line 13: Line 13:
|| intel-microcode || --([[https://usn.ubuntu.com/usn/usn-3531-1/|USN-3531-1]])-- || Reverted in [[https://usn.ubuntu.com/usn/usn-3531-2/|USN-3531-2]] at Intel's request || || intel-microcode || --([[https://usn.ubuntu.com/usn/usn-3531-1/|USN-3531-1]])-- || Reverted in [[https://usn.ubuntu.com/usn/usn-3531-2/|USN-3531-2]] at [[https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr|Intel's request]] ||

Information Leak via speculative execution side channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 aka Spectre and Meltdown)

It was discovered that a new class of side channel attacks impact most processors, including processors from Intel, AMD, and ARM. The attack allows malicious userspace processes to read kernel memory and malicious code in guests to read hypervisor memory. To address the issue, updates to the Ubuntu kernel and processor microcode will be needed. These updates will be announced in future Ubuntu Security Notices once they are available.

Latest Informational Post: Spectre Mitigation Updates Available for Testing in Ubuntu Proposed

Status

Mitigations have been released for the following packages:

Firefox

USN-3516-1

WebKitGTK+

USN-3530-1

NVIDIA graphics drivers

USN-3521-1

intel-microcode

USN-3531-1

Reverted in USN-3531-2 at Intel's request

Meltdown (CVE-2017-5754) kernel fixes have landed for the amd64 architecture:

Ubuntu version

Kernel Version

Variant

USN

17.10

4.13

generic/lowlatency

USN-3523-1

16.04 LTS

4.13 HWE

generic/lowlatency/gke/gcp/oem/azure/lpae

USN-3523-2

16.04 LTS

4.4

generic/lowlatency/euclid/aws/kvm

USN-3522-3

14.04 LTS

4.4 HWE

generic/lowlatency/aws

USN-3522-4

14.04 LTS

3.13

generic/lowlatency

USN-3524-1

12.04 ESM

3.13 HWE

generic

USN-3524-2

12.04 ESM

3.2

generic

USN-3525-1

Spectre (CVE-2017-5715, CVE-2017-5753) mitigations have been released into the -proposed pocket for testing for the following releases and kernel versions.

Ubuntu version

Kernel Version

17.10

4.13

16.04 LTS

4.13 HWE

16.04 LTS

4.4

14.04 LTS

4.4 HWE

14.04 LTS

3.13

Timeline

  • 2017 Nov 09: the Ubuntu Security team is notified by Intel under NDA
  • 2017 Nov 20: the CRD is established as 2018-01-09
  • 2017 Dec: the Ubuntu Security team receives notifications from additional silicon vendors about the impact to their products
  • 2018 Jan 03: issue becomes public a few days before the CRD

  • 2018 Jan 04: Canonical publicly communicates the planned update schedule

  • 2018 Jan 04: Mozilla releases timing attack mitigations

  • 2018 Jan 05: Ubuntu Firefox updates are made available in USN 3516-1

  • 2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:

    Package

    Version

    Series

    linux

    4.4.0-108.131

    Xenial 16.04

    linux

    4.13.0-25.29

    Artful 17.10

    linux-aws

    4.4.0-1048.57

    Xenial 16.04

    linux-aws

    4.4.0-1010.10

    Trusty 14.04

    linux-azure

    4.13.0-1005.7

    Xenial 16.04

    linux-euclid

    4.4.0-9022.23

    Xenial 16.04

    linux-gcp

    4.13.0-1006.9

    Xenial 16.04

    linux-hwe-edge

    4.13.0-25.29~16.04.1

    Xenial 16.04

    linux-kvm

    4.4.0-1015.20

    Xenial 16.04

    linux-lts-xenial

    4.4.0-108.131~14.04.1

    Trusty 14.04

    linux-oem

    4.13.0-1015.16

    Xenial 16.04

  • 2018 Jan 09: NVIDIA driver updates published, see USN-3521-1

  • 2018 Jan 09: Ubuntu kernel updates are made available in USN 3522-1 (Ubuntu 16.04 LTS), USN 3523-1 (Ubuntu 17.10), USN 3522-2 (Ubuntu 14.04 LTS (HWE)), and USN-3524-1 (Ubuntu 14.04 LTS).

  • 2018 Jan 09: Notification issued for livepatch users to reboot after applying kernel update.

  • 2018 Jan 10: Updates for the pc-kernel snaps for Meltdown are released to the stable channel
  • 2018 Jan 11: Updates to the intel-microcode package were released, see USN-3531-1

    • NOTE: These updates were reverted on 2018 Jan 22

  • 2018 Jan 11: Core image updates for amd64 and i386 are published

  • 2018 Jan 12: Linux kernel version 4.13.0-29.32 for Artful 17.10 with Spectre mitigations is available in artful-proposed for testing.

  • 2018 Jan 16: Linux kernel version 4.4.0-111.134 for 16.04 and 3.13.0-140.189 for 14.04 with Spectre mitigations is available in the respective -proposed pocket for testing.

  • 2018 Jan 17: Linux kernel version 4.13.0-30.33 for Ubuntu Bionic with Spectre mitigations is available in the bionic-proposed pocket for testing.

  • 2018 Jan 22: Previous updates to the intel-microcode package were reverted at Intel's request, see USN-3531-2

Cloud Images

  • Cloud images which address CVE-2017-5754 are available for download from https://cloud-images.ubuntu.com for the following releases:

    Release

    Serial

    trusty

    20180110

    xenial

    20180109

    artful

    20180109

    • As release images are published in clouds many are indexed @ https://cloud-images.ubuntu.com/locator/ This tool can be used to find images with the above serials, or later, with applicable fixes.

    • Note: A small number of systems running linux 4.4.0-108.131 were affected by LP: #1741934 which was fixed in 4.4.0-109.132. Cloud instances were not affected by the bug. Cloud images created using 4.4.0-108.131 and its derivatives (for example, linux-aws 4.4.0-1047.56) have the mitigations for Meltdown.

Ubuntu Core images

Canonical officially supports reference kernel snaps for amd64 (pc-kernel), i386 (pc-kernel), rpi2/rpi3 (pi2-kernel) and dragonboard (dragonboard-kernel). Updates for affected architectures for Meltdown are available:

Early Raspberry Pi 2 boards use the Cortex-A7 processor and later versions use the Cortex-A53 processor. Raspberry Pi 3 boards use the Cortex-A53 processor. 96boards Dragonboard 410c boards use the Cortex-A53. According to ARM, none of these devices support speculative execution and are therefore unaffected by Spectre and Meltdown.

CVE Tracker

Note

This article will be updated periodically with new information as it becomes available until the issue has been resolved.

Ubuntu 17.04 and 4.10 HWE early end of life

SecurityTeam/KnowledgeBase/SpectreAndMeltdown (last edited 2019-10-15 22:59:54 by dannf)