5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%
IBM has released the following UEFI fixes for System x, Flex and BladeCenter systems in response to the vulnerability known as Spectre (CVE-2017-5715).
Summary
IBM has released the following UEFI fixes for System x, Flex and BladeCenter systems in response to the vulnerability known as Spectre (CVE-2017-5715).
Vulnerability Details
CVEID: CVE-2017-5715
Affected Products and Versions
System Name | Affected Version |
---|---|
BladeCenter HS22 1911/1936/7809/7870 | |
BladeCenter HS22V 1949/7871 | p9e1 |
BladeCenter HS23 7875/1929 | tke1 |
BladeCenter HS23E 8038/8039 | ahe1 |
BladeCenter HX5 7872/1909/1910/7873 | hie1 |
Flex System x220 2585/7906 | kse1 |
Flex System x222 7916 | cce1 |
Flex System x240 7863/8737/8738/8956 | b2e1 |
Flex System x280, x480, x880 7903 | n2e1 |
Flex System x440 7917 | cne1 |
System x iDataPlex dx360 M2 | |
System x iDataPlex dx360 M3 | tme1 |
System x iDataPlex dx360 M4 7912/7913 | tde1 |
System x NeXtScale nx360 M4 5455 | fhe1 |
System x3200 M3 7327/7328 | |
System x3250 M3 4251/4252/4261 | gye1 |
System x3400 M2 7836/7837 | |
System x3400 M3 7378/7379 | |
System x3500 M2 7839 | |
System x3500 M3 7380 | y4e1 |
System x3550 M2 4198/7946 | |
System x3550 M3 4254/7944 | |
System x3650 M2 4199/7947 | |
System x3650 M3 4255/7945 | d6e1 |
System x3620 M3 7376 | |
System x3630 M3 7377 | hse1 |
System x3100 M4 2582 | |
System x3250 M4 2583 | jqe1 |
System x3100 M5 5457 | j9e1 |
System x3250 M5 5458 | jue1 |
System x3300 M4 7382 | yae1 |
System x3500 M4 7383 | y5e1 |
System x3550 M4 7914 | d7e1 |
System x3630 M4 7158 | |
System x3530 M4 7160 | bee1 |
System x3650 M4 7915 | |
System x3650 M4 HD 5460 | vve1 |
System x3650 M4 BD 5466 | yoe1 |
System x3690 x5 7147/7148/7149/7192 | mle1 |
System x3750 M4 8718/8722/8733/8752 | koe1 |
System x3850 x5 7145/7146 | |
System x3950 x5 7143/7191 | g0e1 |
System x3850 x6 3837/3839 | |
System x3950 x6 3839 | a8e1 |
Remediation/Fixes
Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/>
It is recommended to update to the firmware level listed below, or later version.
System Name | Fixed Version |
---|---|
BladeCenter HS22 1911/1936/7809/7870 | |
BladeCenter HS22V 1949/7871 | |
(ibm_fw_uefi_p9e164c-1.28_windows_32-64 | |
ibm_fw_uefi_p9e164c-1.28_linux_32-64) | p9e164c-1.28 |
BladeCenter HS23 7875/1929 | |
(ibm_fw_uefi_tke152c-2.01_anyos_32-64) | tke152c-2.01 |
BladeCenter HS23E 8038/8039 | |
(ibm_fw_uefi_ahe154c-2.52_anyos_32-64) | ahe154c-2.52 |
BladeCenter HX5 7872/1909/1910/7873 | |
(ibm_fw_uefi_hie187b-1.87_linux_32-64 | |
ibm_fw_uefi_hie187b-1.87_windows_32-64) | hie187b-1.87 |
Flex System x220 2585/7906 | |
(ibm_fw_uefi_kse152c-2.02_anyos_32-64) | kse152c-2.02 |
Flex System x222 7916 | |
(ibm_fw_uefi_cce152d-1.61_anyos_32-64) | cce152d-1.61 |
Flex System x240 7863/8737/8738/8956 | |
(ibm_fw_uefi_b2e156d-2.01_anyos_32-64) | b2e156d-2.01 |
Flex System x280, x480, x880 7903 | |
(ibm_fw_uefi_n2e126d-1.71_anyos_32-64) | n2e126d-1.71 |
Flex System x440 7917 | |
(ibm_fw_uefi_cne158c-1.91_anyos_32-64) | cne158c-1.91 |
System x iDataPlex dx360 M2 | |
System x iDataPlex dx360 M3 | |
(ibm_fw_uefi_tme162a-1.42_linux_32-64 | |
ibm_fw_uefi_tme162a-1.42_windows_32-64) | tme162a-1.42 |
System x iDataPlex dx360 M4 7912/7913 | |
(ibm_fw_uefi_tde150c-1.92_anyos_32-64) | tde150c-1.92 |
System x NeXtScale nx360 M4 5455 | |
(ibm_fw_uefi_fhe116d-1.71_anyos_32-64) | fhe116d-1.71 |
System x3200 M3 7327/7328 | |
System x3250 M3 4251/4252/4261 | |
(ibm_fw_uefi_gye163a-1.20_linux_32-64 | |
ibm_fw_uefi_gye163a-1.20_windows_32-64) | gye163a-1.20 |
System x3400 M2 7836/7837 | |
System x3400 M3 7378/7379 | |
System x3500 M2 7839 | |
System x3500 M3 7380 | |
(ibm_fw_uefi_y4e160c-1.16_linux_32-64 | |
ibm_fw_uefi_y4e160c-1.16_windows_32-64) | y4e160c-1.16 |
System x3550 M2 4198/7946 | |
System x3550 M3 4254/7944 | |
System x3650 M2 4199/7947 | |
System x3650 M3 4255/7945 | |
(ibm_fw_uefi_d6e163a-1.21_linux_32-64 | |
ibm_fw_uefi_d6e163a-1.21_windows_32-64) | d6e163a-1.21 |
System x3620 M3 7376 | |
System x3630 M3 7377 | |
(ibm_fw_uefi_hse126b-1.15_linux_32-64 | |
ibm_fw_uefi_hse126b-1.15_windows_32-64) | hse126b-1.15 |
System x3100 M4 2582 | |
System x3250 M4 2583 | |
(ibm_fw_uefi_jqe180c-1.71_anyos_32-64) | jqe180c-1.71 |
System x3100 M5 5457 | |
(ibm_fw_uefi_j9e128f-1.62_anyos_32-64) | j9e128f-1.62 |
System x3250 M5 5458 | |
(ibm_fw_uefi_jue128f-1.62_anyos_32-64) | jue128f-1.62 |
System x3300 M4 7382 | |
(ibm_fw_uefi_yae152c-1.91_anyos_32-64) | yae152c-1.91 |
System x3500 M4 7383 | |
(ibm_fw_uefi_y5e152e-2.31_anyos_32-64) | y5e152e-2.31 |
System x3550 M4 7914 | |
(ibm_fw_uefi_d7e160d-2.51_anyos_32-64) | d7e160d-2.51 |
System x3630 M4 7158 | |
System x3530 M4 7160 | |
(ibm_fw_uefi_bee160c-2.81_anyos_32-64) | bee160c-2.81 |
System x3650 M4 7915 | |
System x3650 M4 HD 5460 | |
(ibm_fw_uefi_vve156d-2.51_anyos_32-64) | vve156d-2.51 |
System x3650 M4 BD 5466 | |
(ibm_fw_uefi_yoe122d-2.01_anyos_32-64) | yoe122d-2.01 |
System x3690 x5 7147/7148/7149/7192 | |
(ibm_fw_uefi_mle187b-1.87_linux_32-64 | |
ibm_fw_uefi_mle187b-1.87_windows_32-64) | mle187b-1.87 |
System x3750 M4 8718/8722/8733/8752 | |
(ibm_fw_uefi_koe154c-2.01_anyos_32-64) | koe154c-2.01 |
System x3850 x5 7145/7146 | |
System x3950 x5 7143/7191 | |
(ibm_fw_uefi_g0e187b-1.87_linux_32-64 | |
ibm_fw_uefi_g0e187b-1.87_windows_32-64) | g0e187b-1.87 |
System x3850 x6 3837/3839 | |
System x3950 x6 3839 | |
(ibm_fw_uefi_a8e124h-1.51_anyos_32-64) | a8e124h-1.51 |
Workarounds and Mitigations
None.
References
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Lenovo Product Security Advisories
Reading Privileged Memory with a Side Channel
Potential CPU security issue with IBM System x, Flex and BladeCenter Systems
Acknowledgement
None.
Change History
09 May, 2018: Additional fixes available (gye1, d6e1, p9e1, hse1, tme1, y4e1)
04 April, 2018: Additional fixes available (hie1, g0e1, mle1)
20 March, 2018: Original Version Published
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%