Title: EGI SVG 'ADVISORY' HIGH risk AMD CPU Processor Vulnerability
[EGI-SVG-CVE-2023-20569]
Date: 2023-08-23
Updated: 2023-02-19
Affected software and risk
==========================
HIGH risk vulnerability concerning AMD Processors
Package : AMD Processors
CVE ID : CVE-2023-20569
CVSS Score : 5.6 [R 1]
A speculative side channel attack vulnerability known as 'Inception' or 'RAS Poisoning'
has been found affecting AMD processors. This may lead to information disclosure [R 2].
**UPDATE 2024-02-19**
RHEL 7 has since been said by RedHat to be affected and updates produced.
Actions required/recommended
============================
Sites are recommended to check whether their processors are affected, and then
update the firmware as appropriate.
If anyone becomes aware of any situation where this vulnerability has a
significant impact on the EGI infrastructure then please inform EGI SVG.
Component installation information
==================================
Sites running RHEL should see [R 1]
Sites running CentOS Stream should also see [R 1]
Sites running Debian should see [R 4]
Sites running Ubuntu should see [R 5]
Sites running RockyLinux should see [R 6]
Sites running Almalinux should see [R 7]
More information
================
Details from AMD are available at [R 2].
More information including a description of the type of vulnerability is at [R 8].
Further info at [R 9]
**UPDATE 2024-02-19**
Since RHEL 7 is now said to be affected, derivatives such as Scientific Linux are
likely to be affected.
Although RedHat and others consider this to be 'Medium' risk, with a CVSS score of 5.6,
we the EGI SVG consider it to be 'High' risk because for Grid and Cloud computing
processors are accessible by a number of people.
There are reports of potentially significant, workflow-dependent performance degradations.
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2023-20569
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]
References
==========
[R 1] https://access.redhat.com/security/cve/CVE-2023-20569
[R 2] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html
[R 4] https://security-tracker.debian.org/tracker/CVE-2023-20569
[R 5] https://ubuntu.com/security/CVE-2023-20569
[R 6] https://errata.build.resf.org/
[R 7] https://errata.almalinux.org/
[R 8] https://comsec.ethz.ch/research/microarch/inception/
[R 9] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-20569
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by Barbara Krasovec
Timeline
========
Yyyy-mm-dd [EGI-SVG-2023-CVE-2023-20569]
2023-08-09 SVG alerted to this Vulnerability by Barbara Krasovec
2023-08--- Investigation of vulnerability and relevance to EGI carried out
2023-08-16 EGI SVG Risk Assessment completed
2023-08-21 Further discussions on risk
2023-08-23 Advisory sent to sites
2024-02-19 Update due to RHEL 7 said to be vulnerable and fixed.
Placed on advisories.egi.eu
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
----------------------------
On behalf of the EGI SVG,