5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
Unauthorized exposure of privileged data from memory.
Source: HP, HP Product Security Response Team (PSRT)
Reported By:
CVE-2018-3639: Google Project Zero (GPZ) Microsoft Security Response Center (MSRC)
CVE-2018-3640: Researchers from SYSGO AG and BiZone LLC
Derivatives of speculative execution side-channel analysis methods publicly disclosed in January 2018 can be exploited to facilitate the unauthorized exposure of privileged data from memory.
More information is available at the following links:
Intel’s Security Advisory__ (in English)
AMD’s Security Advisory__ (in English)
Microsoft’s Security Advisory:
ADV180012 | Microsoft Guidance for Speculative Store Bypass__ (in English) for CVE-2018-3639
ADV180013 | Microsoft Guidance for Rogue System Register Read__ (in English) for CVE-2018-3640
HP’s Security Bulletin - HPSBHF03573 - Side-Channel Analysis Method
HP is working with processor vendors for mitigation of this issue. This bulletin will be updated; check back frequently for updates to this section and other sections. HP is identifying affected platforms and target dates for Softpaqs. See the current list below.
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.7 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N