January 27, 2023

Menu

Skip to content
  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org
Header image

LogoLong White Virtual Cloudsu by

all things Nutanix, VMware, cloud and virtualizing business critical applications

By Michael Webster

Menu

Skip to content
  • Home
  • About
  • Author
  • Oracle
  • Calendar
  • Books
  • Free Tools
  • Merchandise

Security Alert: The Spectre of a Meltdown in your Datacenter or Cloud

Posted by Michael Webster on January 6, 2018 in Business Critical Applications, Cloud, Nutanix, Security, VMware | 933 Views | Leave a response

If you have not yet seen or heard about 3 serious security vulnerabilities (Spectre and Meltdown) that become public last week then you need to be across them fast (CVE-2017-5715, 5753 and 5754). They represent the largest and widest ranging computing ecosystem security problem that I’ve seen in a long time, and have had a response across the entire enterprise and consumer computing industry as a result. One of the issues (Meltdown) is Intel specific, the other issues impact multiple CPU architectures (Intel, ARM, AMD, Power etc). Although patches for some products have been released already the full solutions are expected to take some time to resolve. All of the major IT vendors have given response to the issues their top priority. This article will contain key links to information that you need to know to prepare and determine the risk for your particular environment.

There are three specific variants for the issues:

Variant 1 (Spectre) – Bounds Check Bypass (CVE-2017-5753 – CVSSv3 8.2)
Variant 2 (Spectre) – Branch Target Injection (CVE-2017-5715 – CVSSv3 8.2)
Variant 3 (Meltdown) – Rogue Data Cache Load (CVE-2017-5754 – CVSSv3 7.9)

The starting point should be the industry created site to aggregate the research data for these issues – https://spectreattack.com/.

Then you should review the specific academic research papers and documentation:

Meltdown Academic Paper – https://meltdownattack.com/meltdown.pdf
Spectre Academic Paper – https://spectreattack.com/spectre.pdf
Google Project Zero – https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with- side.html

Then there are a number of vendor released security advisories:

Intel Security Advisory (INTEL-SA-00088) – https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA- 00088&languageid=en-fr
Microsoft Security Advisory (ADV180002) – https://portal.msrc.microsoft.com/en-US/security- guidance/advisory/ADV180002
Citrix Security Advisory (CTX231390) – https://support.citrix.com/article/CTX231390
VMware Security Advisory – https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Cert Advisory (VU#584653) – http://www.kb.cert.org/vuls/id/584653
Nutanix Security Advisories (#7 -Side-Channel Speculative Execution Vulnerabilities) – https://portal.nutanix.com/#/page/static/securityAdvisories

Individual CVE Links:

CVE-2017-5753 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
CVE-2017-5715 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
CVE-2017-5754 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754

There have been performance concerns with regards to the fixes and RedHat has done some specific research on this and it is available – https://access.redhat.com/articles/3307751.

Final Word

As you can see from the research and various papers and advisories that are available the security vulnerabilities are wid