Title: EGI SVG 'ADVISORY' **UPDATE 2** [TLP:WHITE] 'CRITICAL' risk processor
vulnerabilities - Meltdown and Spectre
Date: 2018-01-03
Updated: 2018-01-04, 2018-01-11, 2018-01-23
**UPDATED 2018-01-23**: Deadline for CVE-2017-5754 & CVE-2017-5753 mitigation
Affected software and risk
==========================
'CRITICAL' risk vulnerabilities concerning processors in common usage,
including Intel.
Package : Intel and other processors
CVE ID : CVE-2017-5754 - Meltdown(Variant 3) - Only affects Intel chips.
: CVE-2017-5753 - Spectre(Variant 1) - Affects wide range of chips
: CVE-2017-5715 - Spectre(Variant 2) - Affects wide range of chips
Actions required/recommended
============================
This advisory is under constant revision, links to detailed public information
and patches are being published on the EGI SVG wiki at [R 1] as soon as they
are available to us. Please check frequently.
Meltdown(Variant 3) and Spectre(Variant 1): All sites MUST update their kernel
and reboot before 9am (CET) Tuesday morning next week (30th January),
2018/01/30T09:00:00+01:00.
Priority should be given to services with direct user access, like
ssh-gateways, user interfaces (UIs), VOBoxs, WorkerNodes (WNs).
Failure to update within this time-frame will be followed-up as per our
Critical Vulnerability Handling [R 3].
Spectre(Variant 2): Given the instabilities reported by Intel on its own
microcode [R 4] and RedHat removing said microcodes from its packages, there
is currently no known and simple supported mitigation for this vulnerabilty.
Sites are encouraged to follow closely updates from their software and
hardware vendors, who might be releasing specific updates.
TLP and URL
===========
** WHITE information - Unlimited distribution - see
https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2017-5753
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 2]
Note that this has been updated and the latest version approved by the
Operations Management Board in November 2017
References
==========
[R 1] https://advisories.egi.eu/Meltdown_and_Spectre_Vulnerabilities.html
[R 2] https://documents.egi.eu/public/ShowDocument?docid=3145
[R 3] https://go.egi.eu/wiki/sec03
[R 4] https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Credit
======
Raul Lopes from Brunel alerted the UK security discussion list, which included
members of the EGI SVG.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2018-13959]
2018-01-03 SVG alerted to this issue by Raul Lopes
2018-01-03 Not enough information to fully assess, but potentially critical
2018-01-03 Decided to send 'Heads up' and drafted
2018-01-03 'Heads Up' sent to sites
2018-01-04 Patches available for most linux systems
2018-01-04 Advisory sent to sites
2018-01-09 Advisory updated - to temporarily remove deadline
and link to wiki for more information
2018-01-23 Advisory updated - to distinguish between Meltdown, Spectre(1),
Spectre(2) and specify action in each case
2018-02-02 Advisory changed to TLP:WHITE and placed on wiki
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 5] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, w e do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group