Lucene search

K
centosCentOS ProjectCESA-2018:0012
HistoryJan 04, 2018 - 11:40 a.m.

microcode_ctl security update

2018-01-0411:40:52
CentOS Project
lists.centos.org
132

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

CentOS Errata and Security Advisory CESA-2018:0012

The microcode_ctl packages provide microcode updates for Intel and AMD processors.

Security Fix(es):

  • An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. (CVE-2017-5715)

Note: This is the microcode counterpart of the CVE-2017-5715 kernel mitigation.

Red Hat would like to thank Google Project Zero for reporting this issue.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2018-January/084859.html

Affected packages:
microcode_ctl

Upstream details at:
https://access.redhat.com/errata/RHSA-2018:0012

OSVersionArchitecturePackageVersionFilename
CentOS7x86_64microcode_ctl<Β 2.1-22.2.el7microcode_ctl-2.1-22.2.el7.x86_64.rpm

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

0.975 High

EPSS

Percentile

100.0%