[cumulus-security-announce] Cumulus Networks Security Advisory: Meltdown and Spectre, Modern CPU Vulnerabilities

Cumulus Networks Security Announcements cumulus-security-announce at lists.cumulusnetworks.com
Thu Jan 4 19:52:22 PST 2018


-------------------------------------------------------------------------
Cumulus Networks® Security Advisory
2018-January-4
-------------------------------------------------------------------------

CPU hardware implementations are vulnerable to side-channel attacks 
referred to as Meltdown and Spectre. These attacks are described in 
detail by CERT/CC's Vulnerability Note VU#584653[1], the United Kingdom 
National Cyber Security Centre's guidance on Meltdown and Spectre, 
Google Project Zero (link is external), and the Institute of Applied 
Information Processing and Communications (IAIK) at Graz University of 
Technology (TU Graz). The Linux kernel mitigations for this 
vulnerability are referred to as KAISER, and subsequently KPTI, which 
aim to improve separation of kernel and user memory pages.

The Common Vulnerabilities and Exposures formally associated with 
Meltdown and Spectre are:

* CVE-2017-5753[2]: Bounds check bypass (Spectre)
* CVE-2017-5715[3]: Branch target injection (Spectre)
* CVE-2017-5754[4]: Rogue data cache load (Meltdown)

To exploit these vulnerabilities in Cumulus Linux, an attacker needs to 
have local access to the system.

Cumulus Networks is evaluating, porting, and testing patches to Cumulus 
Linux. Cumulus will release software updates as soon as they become 
available, and we will announce any updates on the 
cumulus-security-announce mailing[5] list. At this point, the 
performance impact of the fixes is unclear; the extent of the impact 
depends on the operating system, the nature of the fix and the workload 
of the system.

If you have any questions, please contact us at support at cumulusnetworks.com.

The Cumulus Networks Team

[1]: https://www.kb.cert.org/vuls/id/584653
[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
[3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
[5]: https://lists.cumulusnetworks.com/listinfo/cumulus-security-announce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cumulusnetworks.com/pipermail/cumulus-security-announce/attachments/20180104/2ddfdee9/attachment.html>


More information about the cumulus-security-announce mailing list