Announcement

Collapse
No announcement yet.

TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

    Original release date: January 04, 2018
    Systems Affected

    CPU hardware implementations
    Overview

    On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre— that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
    Description

    CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. These attacks are described in detail by CERT/CC’s Vulnerability Note VU#584653, the United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre, Google Project Zero, and the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.
    Impact

    Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
    Solution

    NCCIC encourages users and administrators to refer to their OS vendors for the most recent information. However, the table provided below lists available advisories and patches. Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.
    After patching, performance may be diminished by up to 30 percent. Administrators should ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect if possible.
    Additionally, impacts to availability in some cloud service providers (CSPs) have been reported as a result of patches to host OSes. Users and administrators who rely on cloud infrastructure should work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.
    The following table contains links to advisories and patches published in response to the vulnerabilities.
    Amazon January 4, 2018
    AMD January 4, 2018
    Android January 4, 2018
    Apple January 4, 2018
    ARM January 4, 2018
    CentOS January 4, 2018
    Chromium January 4, 2018
    Citrix January 4, 2018
    F5 January 4, 2018
    Google January 4, 2018
    Huawei January 4, 2018
    IBM January 4, 2018
    Intel January 4, 2018
    Lenovo January 4, 2018
    Linux January 4, 2018
    Microsoft Azure January 4, 2018
    Microsoft January 4, 2018
    Mozilla January 4, 2018
    NVIDIA January 4, 2018
    OpenSuSE January 4, 2018
    Red Hat January 4, 2018
    SuSE January 4, 2018
    Trend Micro January 4, 2018
    VMware January 4, 2018
    Xen January 4, 2018
    References


    Revision History

    • January 4, 2018: Initial version


    This product is provided subject to this Notification and this Privacy & Use policy.





    Click here to view the article.
Working...
X