IBM has released AIX and VIOS iFixes in response to the vulnerabilities known as Spectre and Meltdown.,IBM has released VIOS and VIOS iFixes in response to the vulnerabilities known as Spectre and Meltdown.

2018-01-25T08:15:51
ID SPECTRE_MELTDOWN_ADVISORY.ASC
Type aix
Reporter CentOS Project
Modified 2018-08-17T08:05:01

Description

wn_advisory.asc: Version 4

IBM SECURITY ADVISORY

First Issued: Thu Jan 25 08:15:51 CST 2018 |Updated: Fri Aug 17 08:05:01 CDT 2018 |Update: Added a link to the bulletin for CVE-2017-5715, known as Spectre, | regarding updated iFixes that are only applicable to some POWER9 systems. | The bulletin is available here: | http://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc | https://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc | ftp://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc

The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc https://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc

Security Bulletin: IBM has released AIX and VIOS iFixes in response to the vulnerabilities known as Spectre and Meltdown.

===============================================================================

SUMMARY:

IBM has released the following fixes for AIX and VIOS in response to 
CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754.

| iFixes released on August 17, 2018: | Updated AIX and VIOS fixes for CVE-2017-5715, known as Spectre, that are | only applicable to some POWER9 systems are now available. | Please see Security Bulletin: | http://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc | https://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc | ftp://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc

iFixes released on May 22, 2018: AIX and VIOS fixes are now available for CVE-2018-3639. Please see Security Bulletin: http://aix.software.ibm.com/aix/efixes/security/variant4_advisory.asc https://aix.software.ibm.com/aix/efixes/security/variant4_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/variant4_advisory.asc

===============================================================================

VULNERABILITY DETAILS:

CVEID: CVE-2017-5715
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

CVEID: CVE-2017-5753
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

CVEID: CVE-2017-5754
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

AFFECTED PRODUCTS AND VERSIONS:


    AIX 5.3 (32-bit and 64-bit kernels), 6.1, 7.1, 7.2
    VIOS 2.2.x

    The vulnerabilities in the following filesets are being addressed:

    key_fileset = aix

    Fileset                 Lower Level  Upper Level KEY 
    ---------------------------------------------------------
    bos.mp                  5.3.12.0     5.3.12.9    key_w_fs
    bos.mp64                5.3.12.0     5.3.12.10   key_w_fs
    bos.mp64                6.1.9.0      6.1.9.300   key_w_fs
    bos.mp64                7.1.4.0      7.1.4.33    key_w_fs
    bos.mp64                7.1.5.0      7.1.5.0     key_w_fs
    bos.mp64                7.2.0.0      7.2.0.5     key_w_fs
    bos.mp64                7.2.1.0      7.2.1.4     key_w_fs
    bos.mp64                7.2.2.0      7.2.2.0     key_w_fs

    To find out whether the affected filesets are installed 
    on your systems, refer to the lslpp command found in AIX user's guide.

    Example:  lslpp -L | grep -i bos.mp64

    Note: AIX or VIOS users of all fileset levels should continue to monitor
    their My Notifications alerts and the IBM PSIRT Blog for additional 
    information about these vulnerabilities:

    - My Notifications
      http://www.ibm.com/support/mynotifications

    - IBM PSIRT Blog - Potential Impact on Processors in the Power Family
      https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

REMEDIATION:

    A. APARS

        IBM has assigned the following APARs to this problem:

        AIX Level APAR     Availability  SP   KEY
        ------------------------------------------------
        5.3.12    IJ03029  N/A           N/A  key_w_apar
        6.1.9     IJ03030  **            SP11 key_w_apar
        7.1.4     IJ03032  **            SP6  key_w_apar
        7.1.5     IJ03033  **            SP2  key_w_apar
        7.2.0     IJ03034  **            SP6  key_w_apar
        7.2.1     IJ03035  **            SP4  key_w_apar
        7.2.2     IJ03036  **            SP2  key_w_apar

        VIOS Level APAR    Availability  SP       KEY
        ------------------------------------------------
        2.2.4     IJ03030  **            2.2.4.60 key_w_apar
        2.2.5     IJ03030  **            2.2.5.40 key_w_apar
        2.2.6     IJ03030  **            2.2.6.20 key_w_apar

        Subscribe to the APARs here:

        http://www.ibm.com/support/docview.wss?uid=isg1IJ03032
        http://www.ibm.com/support/docview.wss?uid=isg1IJ03033
        http://www.ibm.com/support/docview.wss?uid=isg1IJ03034
        http://www.ibm.com/support/docview.wss?uid=isg1IJ03035
        http://www.ibm.com/support/docview.wss?uid=isg1IJ03036

        https://www.ibm.com/support/docview.wss?uid=isg1IJ03032
        https://www.ibm.com/support/docview.wss?uid=isg1IJ03033
        https://www.ibm.com/support/docview.wss?uid=isg1IJ03034
        https://www.ibm.com/support/docview.wss?uid=isg1IJ03035
        https://www.ibm.com/support/docview.wss?uid=isg1IJ03036

        By subscribing, you will receive periodic email alerting you
        to the status of the APAR, and a link to download the fix once
        it becomes available.

    B. FIXES

        AIX and VIOS fixes are available.

        IMPORTANT: Both the AIX/VIOS and FW fixes are required to address
        the vulnerabilities.

        An LPAR system reboot is required to complete the iFix installation,
        or Live Update may be used on AIX 7.2 to avoid a reboot.

        AIX and VIOS iFix Dependency:
        The Power Firmware fix must be applied prior to the LPAR reboot
        (or Live Update) for the fix to be active. If the Power Firmware
        fix is applied after the patched AIX or VIOS LPAR has been rebooted
        (or Live Update completed), the fix must be activated by either:

        1.  Performing an additional reboot of the AIX or VIOS LPAR
        or
        2.  Performing an LPAR migration to a destination frame that already
        has the Power Firmware fix applied.

        Link to the related Power Firmware Security Bulletin and fix
        information:
        http://www-01.ibm.com/support/docview.wss?uid=isg3T1026811

        The AIX/VIOS fixes can be downloaded via ftp or http from:

        ftp://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_fix.tar
        http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_fix.tar
        https://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_fix.tar

        The link above is to a tar file containing this signed
        advisory, fix packages, and OpenSSL signatures for each package.
        The fixes below include prerequisite checking. This will
        enforce the correct mapping between the fixes and AIX
        Technology Levels.

        AIX Level  Interim Fix (*.Z)         KEY
        ----------------------------------------------
        5.3.12.9   IJ03029m9c.180124.epkg.Z  key_w_fix
        5.3.12.9   IJ03029m9a.180117.epkg.Z  key_w_fix
        5.3.12.9   IJ03029m9b.180117.epkg.Z  key_w_fix
        6.1.9.8    IJ03030m8a.180117.epkg.Z  key_w_fix
        6.1.9.9    IJ03030m9a.180116.epkg.Z  key_w_fix
        6.1.9.10   IJ03030mAa.180116.epkg.Z  key_w_fix
        7.1.4.3    IJ03032m3a.180125.epkg.Z  key_w_fix
        7.1.4.3    IJ03032m3b.180125.epkg.Z  key_w_fix
        7.1.4.4    IJ03032m4a.180125.epkg.Z  key_w_fix
        7.1.4.5    IJ03032m5a.180116.epkg.Z  key_w_fix
        7.1.5.0    IJ03033m1a.180116.epkg.Z  key_w_fix
        7.1.5.1    IJ03033m1a.180116.epkg.Z  key_w_fix
        7.2.0.3    IJ03034m3a.180117.epkg.Z  key_w_fix
        7.2.0.4    IJ03034m4a.180117.epkg.Z  key_w_fix
        7.2.0.5    IJ03034m5a.180117.epkg.Z  key_w_fix
        7.2.1.1    IJ03035m1a.180118.epkg.Z  key_w_fix
        7.2.1.1    IJ03035m1b.180118.epkg.Z  key_w_fix
        7.2.1.2    IJ03035m2a.180118.epkg.Z  key_w_fix
        7.2.1.3    IJ03035m3a.180117.epkg.Z  key_w_fix
        7.2.2.0    IJ03036m1a.180116.epkg.Z  key_w_fix
        7.2.2.1    IJ03036m1a.180116.epkg.Z  key_w_fix

        Please note that the above table refers to AIX TL/SP level as
        opposed to fileset level, i.e., 7.2.2.1 is AIX 7200-02-01.

        NOTE:  Multiple iFixes are provided for AIX 5300-12-09,
        7100-04-03, and 7200-01-01.
        IJ03029m9c is for AIX 5300-12-09 with bos.mp fileset level 5.3.12.9.
        IJ03029m9a is for AIX 5300-12-09 with bos.mp64 fileset level 5.3.12.9.
        IJ03029m9b is for AIX 5300-12-09 with bos.mp64 fileset level 5.3.12.10.
        IJ03032m3a is for AIX 7100-04-03 with bos.mp64 fileset level 7.1.4.30.
        IJ03032m3b is for AIX 7100-04-03 with bos.mp64 fileset level 7.1.4.31.
        IJ03035m1a is for AIX 7200-01-01 with bos.mp64 fileset level 7.2.1.1. 
        IJ03035m1b is for AIX 7200-01-01 with bos.mp64 fileset level 7.2.1.2.

        Please reference the Affected Products and Version section above
        for help with checking installed fileset levels.


        VIOS Level  Interim Fix (*.Z)         KEY
        -----------------------------------------------
        2.2.4.30    IJ03030m8a.180117.epkg.Z  key_w_fix
        2.2.4.40    IJ03030m9a.180116.epkg.Z  key_w_fix
        2.2.4.50    IJ03030m9b.180116.epkg.Z  key_w_fix
        2.2.5.10    IJ03030m8a.180117.epkg.Z  key_w_fix
        2.2.5.20    IJ03030m9a.180116.epkg.Z  key_w_fix
        2.2.5.30    IJ03030m9b.180116.epkg.Z  key_w_fix
        2.2.6.0     IJ03030mAa.180116.epkg.Z  key_w_fix
        2.2.6.10    IJ03030mAa.180116.epkg.Z  key_w_fix

        To extract the fixes from the tar file:

        tar xvf spectre_meltdown_fix.tar
        cd spectre_meltdown_fix

        Verify you have retrieved the fixes intact:

        The checksums below were generated using the
        "openssl dgst -sha256 file" command as the following:

        openssl dgst -sha256                                              filename                 KEY
        -----------------------------------------------------------------------------------------------------
        d6ddda167a389195f6e48fb1868677e170f8f7ab679eb2af1e15f6672cd18e2e  IJ03029m9c.180124.epkg.Z key_w_csum
        11249eb38318b8779e5f86836edd2913278081e22d61ed68df207175bde6bd3a  IJ03029m9a.180117.epkg.Z key_w_csum
        b0cfe72d0d7de4f5f99cdcf802b1a298586b6f7511bcb63e9644008faa4b7353  IJ03029m9b.180117.epkg.Z key_w_csum
        043d6e933e98c5b45ec7f93e61d0fb9647575d309151f7f9f6a4c4d4bd7376b0  IJ03030m8a.180117.epkg.Z key_w_csum
        873d25f7743c52d75cff80d1343d638f1f406bff2f70b2b362670a56d7abf3cb  IJ03030m9a.180116.epkg.Z key_w_csum
        44834d4990a178c6773c7fbd6bc00fbc81b23944b9988329294ae0cbb93ec20f  IJ03030m9b.180116.epkg.Z key_w_csum
        f1fc5a1bb4daab5f9d2abc1006df087a688ed2832a7eb15a0de4f45efe94d6a6  IJ03030mAa.180116.epkg.Z key_w_csum
        61e8ecdf43a25b590697cc924940573a49adc639be381b05123dac0bb6cf6f9c  IJ03032m3a.180125.epkg.Z key_w_csum
        895f3e1f269f0ef2f4f8d4d2801642e408731f7e813b279e9dd6616f9975f154  IJ03032m3b.180125.epkg.Z key_w_csum
        09627d285a0fcd81d7eca4a23270457bd9bca2d3e104593f392a837cb7e1faa1  IJ03032m4a.180125.epkg.Z key_w_csum
        896215923b7d6001a5aff7ed7d420d9963bef177d88af1ef2b30d131e1c10029  IJ03032m5a.180116.epkg.Z key_w_csum
        48ba4ca0c38611852dcbfcfb25376025941285df77e629953bf9bc534815e3cd  IJ03033m1a.180116.epkg.Z key_w_csum
        eb1e9f32dd4c7072a05fc41b77f6de957d0812eb788747efb7d8f17573566277  IJ03034m3a.180117.epkg.Z key_w_csum
        64de96295eadae27b967dbd8a5c0c799b13bb4869edc63b970c470bfb820ce58  IJ03034m4a.180117.epkg.Z key_w_csum
        8d18635a490926c67e992ea0cff6fab853f451802a3172a6f7bfd1244fa81e5c  IJ03034m5a.180117.epkg.Z key_w_csum
        e7e2e4443f33f6449b4d0bfe9a649859dec540156621459662c1f96149c61cb2  IJ03035m1a.180118.epkg.Z key_w_csum
        5d4feacb66f678458df8f0ad053b5c1e64868c6e61debff08c175219efa0b415  IJ03035m1b.180118.epkg.Z key_w_csum
        f89f04a4586ac847fa31cf240448be5221f17783fc3b1a574c894a6dcb727424  IJ03035m2a.180118.epkg.Z key_w_csum
        ed4f1af7ddd8a8f679ea1c6de410ad53c3b63d3c0b6c15561bbccea4f4837232  IJ03035m3a.180117.epkg.Z key_w_csum
        b1c4f488d6084eb7df5e68af3195d5f167f0d17dbb7c0290d9db4646fdd6c06a  IJ03036m1a.180116.epkg.Z key_w_csum

        These sums should match exactly. The OpenSSL signatures in the tar
        file and on this advisory can also be used to verify the
        integrity of the fixes.  If the sums or signatures cannot be
        confirmed, contact IBM Support at
        http://ibm.com/support/ and describe the discrepancy.

        openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]

        openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]

        Published advisory OpenSSL signature file location:

        http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc.sig
        https://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc.sig
        ftp://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc.sig

    C. FIX AND INTERIM FIX INSTALLATION

        IMPORTANT: Both the AIX/VIOS and FW fixes are required to address 
        the vulnerabilities.

        An LPAR system reboot is required to complete the iFix installation,
        or Live Update may be used on AIX 7.2 to avoid a reboot.

        AIX and VIOS iFix Dependency:
        The Power Firmware fix must be applied prior to the LPAR reboot
        (or Live Update) for the fix to be active. If the Power Firmware
        fix is applied after the patched AIX or VIOS LPAR has been rebooted
        (or Live Update completed), the fix must be activated by either:

        1.  Performing an additional reboot of the AIX or VIOS LPAR
        or
        2.  Performing an LPAR migration to a destination frame that already
        has the Power Firmware fix applied.

        Link to the related Power Firmware Security Bulletin and fix
        information:
        http://www-01.ibm.com/support/docview.wss?uid=isg3T1026811


        If possible, it is recommended that a mksysb backup of the system 
        be created. Verify it is both bootable and readable before
        proceeding.

        To preview a fix installation:

        installp -a -d fix_name -p all  # where fix_name is the name of the
                                        # fix package being previewed.
        To install a fix package:

        installp -a -d fix_name -X all  # where fix_name is the name of the
                                        # fix package being installed.

        Interim fixes have had limited functional and regression
        testing but not the full regression testing that takes place
        for Service Packs; however, IBM does fully support them.

        Interim fix management documentation can be found at:

        http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

        To preview an interim fix installation:

        emgr -e ipkg_name -p         # where ipkg_name is the name of the
                                     # interim fix package being previewed.

        To install an interim fix package:

        emgr -e ipkg_name -X         # where ipkg_name is the name of the
                                     # interim fix package being installed.

WORKAROUNDS AND MITIGATIONS:

    None.

===============================================================================

CONTACT US:

Note: Keywords labeled as KEY in this document are used for parsing
purposes.

If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":

    http://www.ibm.com/support/mynotifications

To view previously issued advisories, please visit:

    http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq

Contact IBM Support for questions related to this announcement:

    http://ibm.com/support/
    https://ibm.com/support/

To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:

    Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt

Please contact your local IBM AIX support center for any
assistance.

REFERENCES:

Complete CVSS v3 Guide:  http://www.first.org/cvss/user-guide
On-line Calculator v3:
    http://www.first.org/cvss/calculator/3.0

RELATED INFORMATION:

IBM Secure Engineering Web Portal
    http://www.ibm.com/security/secure-engineering/bulletins.html

IBM Product Security Incident Response Blog
    https://www.ibm.com/blogs/psirt/

IBM PSIRT Blog - Potential Impact on Processors in the Power Family
    https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Security Bulletin: IBM has released AIX and VIOS iFixes in response to the 
vulnerabilities known as Spectre and Meltdown.
    http://www-01.ibm.com/support/docview.wss?uid=isg3T1026912

| Security Bulletin: IBM has released updated AIX and VIOS fixes for | CVE-2017-5715, known as Spectre, that are only applicable to some POWER9 | systems. | http://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc | https://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc | ftp://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc

Security Bulletin: IBM has released AIX and VIOS iFixes in response to 
Speculative Store Bypass (SSB), also known as Variant 4.
    http://aix.software.ibm.com/aix/efixes/security/variant4_advisory.asc
    https://aix.software.ibm.com/aix/efixes/security/variant4_advisory.asc
    ftp://aix.software.ibm.com/aix/efixes/security/variant4_advisory.asc

ACKNOWLEDGEMENTS:

The vulnerability was reported to IBM by Google Project Zero.

CHANGE HISTORY:

First Issued: Thu Jan 25 08:15:51 CST 2018 
Updated: Fri Feb  9 14:32:35 CST 2018 
Update: Clarified reboot requirements for the AIX and VIOS
    iFixes, and provided a utility to verify proper iFix installation on
    AIX and VIOS. Refer to the FIXES section for these changes.
    Additional iFixes are now available. Additional iFixes are now available
    for:
        AIX 5300-12-09, 32-bit kernel version
        AIX 6100-09-08 and 6100-09-09
        AIX 7100-04-03 and 7100-04-04
        AIX 7200-00-03 and 7200-00-04
        AIX 7200-01-01 and 7200-01-02
        VIOS 2.2.4.30 and 2.2.4.40
        VIOS 2.2.5.10 and 2.2.5.20
        VIOS 2.2.6.0
Updated: Thu May 24 10:34:11 CDT 2018
Update: Added a link to the bulletin for CVE-2018-3639 regarding Speculative
    Store Bypass (SSB), also known as Variant 4:
    http://aix.software.ibm.com/aix/efixes/security/variant4_advisory.asc
    https://aix.software.ibm.com/aix/efixes/security/variant4_advisory.asc
    ftp://aix.software.ibm.com/aix/efixes/security/variant4_advisory.asc

| Updated: Fri Aug 17 08:05:01 CDT 2018 | Update: Added a link to the bulletin for CVE-2017-5715, known as Spectre, | regarding updated iFixes that are only applicable to some POWER9 | systems. | The bulletin is available here: | http://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc | https://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc | ftp://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc

===============================================================================

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.