CLD-412 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
linux |
Deficiency Type |
SECURITY |
Date Created |
2018-05-22 09:01:32 |
Date Last Modified |
2018-05-22 12:15:08 |
Version Specific Information:
Cucumber 1.0 i686 | waiting for upstream to publish patch |
Cucumber 1.0 x86_64 | waiting for upstream to publish patch |
Cucumber 1.1 i686 |
waiting for upstream to publish patch |
Cucumber 1.1 x86_64 |
waiting for upstream to publish patch |
Details:
=================================== Overview ===================================
From
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html:
CVE-2018-3640 - Rogue System Register Read (RSRE) - also known as Variant 3a
Systems with microprocessors utilizing speculative execution and that perform
speculative reads of system registers may allow unauthorized disclosure of
system parameters to an attacker with local user access via a side-channel
analysis.
4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
================================ Initial Report ================================
The original report can be found at:
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
The full white paper can be found at:
https://software.intel.com/sites/default/files/managed/b9/f9/336983-Intel-Analysis-of-Speculative-Execution-Side-Channels-White-Paper.pdf
The reports are too long to post here.
================================= Our Analysis =================================
See our blog post for additional information:
https://sourceforge.net/p/cucumber-linux/blog/2018/05/here-we-go-again-spectre-v3a-cve-2018-3640-and-spectre-v4-cve-2018-3639/
----- Affected Products -----
All versions of the 4.9 series Linux kernel up to and including 4.9.101 are
vulnerable to this. As of this writing (Tue May 22 12:39:14 EDT 2018), 4.9.101
is the latest 4.9 release available; future releases may or may not be
affected.
The Linux kernel as originally packaged on both Cucumber Linux 1.0 and 1.1 is
vulnerable.
----- Scope and Impact of this Vulnerability -----
The full impact of this vulnerability has not been sufficiently verified yet;
however, Intel has indicated that it "may allow unauthorized disclosure of
information to an attacker with local user access."
----- Fix for this Vulnerability -----
As of Tue May 22 12:39:14 EDT 2018, there are no publicly available fixes for
this vulnerability.
================================= Our Solution =================================
We are waiting for the upstream kernel developers and Intel to publish patches.