Lucene search

K
cloudfoundryCloud FoundryCFOUNDRY:F862BE9A087FA6B59D4299BADF8089DC
HistoryJul 19, 2018 - 12:00 a.m.

USN-3690-2: AMD Microcode regression | Cloud Foundry

2018-07-1900:00:00
Cloud Foundry
www.cloudfoundry.org
301

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04

Description

USN-3690-1 provided updated microcode for AMD processors to address CVE-2017-5715 (aka Spectre). Unfortunately, the update caused some systems to fail to boot. This update reverts the update for Ubuntu 14.04 LTS.

We apologize for the inconvenience.

Original advisory details:

Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.

This update provides the microcode updates for AMD 17H family processors required for the corresponding Linux kernel updates.

Affected Cloud Foundry Products and Versions

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • 3363.x versions prior to 3363.68
    • 3421.x versions prior to 3421.69
    • 3445.x versions prior to 3445.54
    • 3468.x versions prior to 3468.54
    • 3541.x versions prior to 3541.36
    • 3586.x versions prior to 3586.26
    • All other stemcells not listed.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • The Cloud Foundry project recommends upgrading the following BOSH stemcells:
    • Upgrade 3363.x versions to 3363.68
    • Upgrade 3421.x versions to 3421.69
    • Upgrade 3445.x versions to 3445.54
    • Upgrade 3468.x versions to 3468.54
    • Upgrade 3541.x versions to 3541.36
    • Upgrade 3586.x versions to 3586.26
    • All other stemcells should be upgraded to the latest version available on bosh.io.

References

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

0.975 High

EPSS

Percentile

100.0%