5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
Elevation of Privilege/Information Disclosure
Source: HP, HP Product Security Response Team (PSRT)
Reported by: Google Project Zero
An industry-wide vulnerability, known as side channel analysis method, has been disclosed with modern CPUs using speculative execution. Speculative execution is an important technique to optimize CPU performance. The premise behind speculative execution is that processor instructions are executed before it is determined if these instructions are required.
Researchers have nicknamed these vulnerabilities Spectre and Meltdown. Exploits using this technique could access privileged memory, including the kernel and encrypted secrets. The result could potentially lead to a loss of sensitive information.
The mitigation requires both a processor microcode update and an operating system update. A hypervisor update may also be required.
> note:
>
> The BIOS version published in the affected platform list is the minimum BIOS version that updates the processor microcode update for this vulnerability. Subsequent versions of BIOS also contain the update for this vulnerability.
It is important to note that HP’s security bulletins list the first BIOS version which includes an update for the vulnerability. Subsequent BIOS versions also include these updates.
Select your operating system.
> note:
>
> The January 2018 Windows security update will only be offered to devices running supported anti-virus (AV) applications.
>
> If you do not see the patch available to download from Windows Update, your anti-virus software may need to be updated.
Microsoft Windows OS updates (Windows 7 through Windows 10) are required. Microsoft has made patches/updates available via Windows Update.
Processor microcode updates are being released via BIOS updates. Relevant BIOS updates can be downloaded from the platform list below.
Both the Microsoft Windows OS update and the processor microcode update are required for remediation.
Google Chrome and Google Chrome OS (e.g. Chromebooks) have software updates. Refer to the Google link below for more information.
Software patches from other OS vendors may also be required. Contact your OS vendor for potential software patches.
Hypervisors could also be affected. Check with your hypervisor vendor for potential software patches.
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N