Variant4
| Size: 7273 Comment: Update virt-ssbd information | Size: 7951 Comment: re-work arm status and add intel-microcode USN | 
| Deletions are marked like this. | Additions are marked like this. | 
| Line 19: | Line 19: | 
| Ubuntu users are recommended to update to the latest kernel, qemu, and intel-microcode packages. Ubuntu 18.04 LTS, 17.10, 16.04 LTS, and 14.04 LTS were affected. 12.04 ESM remains affected but updates are in progress. | Ubuntu users are recommended to update to the latest kernel, qemu, libvirt, and intel-microcode packages. Ubuntu 18.04 LTS, 17.10, 16.04 LTS, and 14.04 LTS were affected. 12.04 ESM remains affected but updates are in progress. | 
| Line 21: | Line 21: | 
| To address the issues, the majority of users should ensure that linux-image-4.15.0-22-generic 4.15.0-22.24 (Ubuntu 18.04 LTS, [[https://usn.ubuntu.com/3652-1|USN 3652-1]]), linux-image-4.13.0-43-generic 4.13.0-43.48 (Ubuntu 17.10, [[https://usn.ubuntu.com/3653-1|USN 3653-1]]), linux-image-4.4.0-127-generic 4.4.0-127.153 (Ubuntu 16.04 LTS, [[https://usn.ubuntu.com/3654-1|USN 3654-1]]), or linux-image-3.13.0-149-generic 3.13.0-149.199 (Ubuntu 14.04 LTS, [[https://usn.ubuntu.com/3655-1|USN 3655-1]]) is installed. Users of non-generic Ubuntu kernels should consult the published Ubuntu Security Notices for version information. | ==== Bare Metal and Virtual Machines with Intel Processors ==== | 
| Line 23: | Line 23: | 
| QEMU updates, which allow virtual machines to make use of SSBD support with x86 Intel processors, are available. Users should ensure that qemu 1:2.11+dfsg-1ubuntu7.2 (Ubuntu 18.04 LTS), qemu 1:2.10+dfsg-0ubuntu3.7 (Ubuntu 17.10), qemu 1:2.5+dfsg-5ubuntu10.29 (Ubuntu 16.04 LTS), and qemu 2.0.0+dfsg-2ubuntu1.42 (Ubuntu 14.04 LTS) is installed. These updates were announced in [[ https://usn.ubuntu.com/3651-1/ | USN-3651-1 ]]. | QEMU and kernel updates were released to allow bare metal Ubuntu systems to make use of SSBD. Additionally, these updates allow virtualized Ubuntu systems to make use of SSBD with x86 Intel processors. Consult the following table for version information: || '''Package''' || '''USN''' || || Linux Kernel (18.04 LTS) || [[https://usn.ubuntu.com/3652-1/|USN-3652-1]] || || Linux Kernel (17.10) || [[https://usn.ubuntu.com/3653-1/|USN-3653-1]] || || Linux Kernel (16.04 LTS) || [[https://usn.ubuntu.com/3654-1/|USN-3654-1]], [[https://usn.ubuntu.com/3653-2/|USN-3653-2]] || || Linux Kernel (14.04 LTS) || [[https://usn.ubuntu.com/3655-1/|USN-3655-1]], [[https://usn.ubuntu.com/3654-2/|USN-3654-2]] || || QEMU || [[https://usn.ubuntu.com/3651-1/|USN-3651-1]] || || intel-microcode || [[https://usn.ubuntu.com/3756-1/|USN-3756-1]] || <<BR>> The required intel-microcode updates are not available at this time. Canonical will continue to work with Intel and release intel-microcode updates once they're production ready. In the meantime, you may be able to access updated microcode for your processor in the form of OEM firmware updates. ==== Virtual Machines with AMD Processors ==== | 
| Line 28: | Line 40: | 
| || Linux Kernel (18.04 LTS) || [[https://usn.ubuntu.com/3678-1/|USN-3678-1]] || | || Linux Kernel (18.04 LTS) || [[https://usn.ubuntu.com/3678-1/|USN-3678-1]], [[https://usn.ubuntu.com/3678-3/|USN-3678-3]] || | 
| Line 35: | Line 47: | 
| The required intel-microcode updates are not available at this time. Canonical will continue to work with Intel and release intel-microcode updates once they're production ready. In the meantime, you may be able to access updated microcode for your processor in the form of OEM firmware updates. | ==== ARM64 Processors ==== Kernel updates were released to Ubuntu 18.04 LTS to address CVE-2018-3639 on some ARM64 processors. The updated kernels will dynamically mitigate the speculative store bypass vulnerability on [[https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability|Cortex-A76]] and the Cavium ThunderX2 processor family with the appropriate firmware update. Consult the following table for Ubuntu kernel version information: || '''Package''' || '''USN''' || || Linux Kernel (18.04 LTS) || [[https://usn.ubuntu.com/3777-1/|USN-3777-1]] || || Linux HWE Kernel (16.04 LTS) || [[https://usn.ubuntu.com/3777-2/|USN-3777-2]] || | 
Speculative Store Bypass (CVE-2018-3639 aka GPZ Variant 4)
Ken Johnson of the Microsoft Security Response Center (MSRC) and Jann Horn of Google Project Zero (GPZ) independently discovered another variant of a cache speculation timing side channel attack, similar to the issues previously disclosed under the names Spectre and Meltdown.
With this variant, currently known as Variant 4, systems with microprocessors utilizing speculative execution and speculative execution of a memory read, before the addresses of all prior memory writes are known, may allow unauthorized disclosure of information to an attacker with local user access via a side channel analysis. More colloquially, in one example, Variant 4 can reveal the value of stored data when a load following a store speculatively retrieves the earlier value.
Mitigations
Some mitigations for Spectre v2 also help to mitigate some of the effects of this vulnerability, for example, the reduction in timer precision in browsers renders this variant much more difficult to exploit.
The Speculative Store Bypass vulnerability can be mitigated by setting the newly defined Speculative Store Bypass Disable (SSBD) bit in the IA32_SPEC_CTRL Model-Specific Register (MSR) of x86 processors. Support for this mitigation requires updated microcode for Intel processors. New microcode is not needed for AMD processors.
In Ubuntu, SSBD is OFF by default because it is not needed by most programs and carries a notable performance impact. A prctl() has been added (PR_SPEC_STORE_BYPASS) that enables developers to opt into the mitigation on a per process basis. Applications using a seccomp filter will be implicitly opted into the mitigations. This means that strict and devmode snaps, processes inside of LXD containers, sandboxed processes of the Firefox and Chromium browsers, among some other processes running in a default Ubuntu install on x86 processors, will have the SSBD mitigation enabled out of the box.
Users can explicitly opt-in to SSBD mitigations, on a system-wide basis, by booting with the spec_store_bypass_disable=on boot parameter. See the Mitigation Controls page for details on available boot options.
Update Status
Ubuntu users are recommended to update to the latest kernel, qemu, libvirt, and intel-microcode packages. Ubuntu 18.04 LTS, 17.10, 16.04 LTS, and 14.04 LTS were affected. 12.04 ESM remains affected but updates are in progress.
Bare Metal and Virtual Machines with Intel Processors
QEMU and kernel updates were released to allow bare metal Ubuntu systems to make use of SSBD. Additionally, these updates allow virtualized Ubuntu systems to make use of SSBD with x86 Intel processors. Consult the following table for version information:
| Package | USN | 
| Linux Kernel (18.04 LTS) | |
| Linux Kernel (17.10) | |
| Linux Kernel (16.04 LTS) | |
| Linux Kernel (14.04 LTS) | |
| QEMU | |
| intel-microcode | 
 The required intel-microcode updates are not available at this time. Canonical will continue to work with Intel and release intel-microcode updates once they're production ready. In the meantime, you may be able to access updated microcode for your processor in the form of OEM firmware updates. 
Virtual Machines with AMD Processors
Additional QEMU, libvirt, and kernel updates were released to allow virtual machines to make use of SSBD support with x86 AMD processors. Consult the following table for version information:
| Package | USN | 
| Linux Kernel (18.04 LTS) | |
| Linux Kernel (17.10) | |
| Linux Kernel (16.04 LTS) | |
| Linux Kernel (14.04 LTS) | |
| QEMU | |
| libvirt | 
ARM64 Processors
Kernel updates were released to Ubuntu 18.04 LTS to address CVE-2018-3639 on some ARM64 processors. The updated kernels will dynamically mitigate the speculative store bypass vulnerability on Cortex-A76 and the Cavium ThunderX2 processor family with the appropriate firmware update. Consult the following table for Ubuntu kernel version information:
| Package | USN | 
| Linux Kernel (18.04 LTS) | |
| Linux HWE Kernel (16.04 LTS) | 
Verifying Your System
To check if your system is protected against CVE-2018-3639, you can run the following command and compare the output:
$ cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Mitigation: Speculative Store Bypass disabled via prctl and seccomp
The example above shows a system that is mitigated against CVE-2018-3639.
A system that is not running an updated kernel will not have the file indicating the vulnerability status and the system should be considered vulnerable:
$ cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass cat: /sys/devices/system/cpu/vulnerabilities/spec_store_bypass: No such file or directory
If the file exists but the system does not have updated microcode, or an updated hypervisor in the case of a virtual machine, the output will indicate that the system is vulnerable:
$ cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Vulnerable
References
For more information on these issues, please see the following reference documents:
Timeline
- 2018 May 21 at 21:00 UTC: the issue is made public
- 2018 May 21: Linux kernel updates are released
- 2018 May 21: QEMU updates are released
- 2018 Jun 11: Linux kernel updates are released that allow SSBD to be used in KVM based virtual machines when using an AMD processor
- 2018 Jun 12: QEMU and libvirt updates are released that allow SSBD to be used in KVM based virtual machines when using an AMD processor
SecurityTeam/KnowledgeBase/Variant4 (last edited 2025-04-17 11:51:20 by lucistanescu)