Meltdown and Spectre are critical vulnerabilities existing in several modern CPUs. Due to these security vulnerabilities, unauthorized users may gain access to supposedly protected memory areas. These problems affect most CPUs made by Intel, but also by AMD and ARM, regardless of the operating system in use.
So far, there are the following known variants of this issue:
- Spectre variant 1: bounds check bypass CVE-2017-5753
- Spectre variant 2: branch target injection CVE-2017-5715
- Meltdown (variant 3): rogue data cache load CVE-2017-5754
- Spectre variant 3a: Rogue System Register Read CVE-2018-3640
- Expected: Microcodde Update
- Spectre variant 4: Speculative Store Bypass CVE-2018-3639
- Expected: Microcodde Update, QEMU update, libvirt Update, OpenJDK, Kernel, Browser Update
- Spectre variant 5: not yet disclosed
- Spectre variant 6: not yet disclosed
- Spectre variant 7: not yet disclosed
- Spectre variant 8: not yet disclosed
We highly recommend to install the latest errata updates which have been released by Univention. If you still use an outdated version of UCS like UCS 1, UCS 2 or UCS 3, please upgrade. We will only release updates for UCS 4.1-5 and UCS 4.2-3+ and UCS 4.3-0. The UCS 4.2 updates will be available for Enterprise and Core Edition users, the UCS 4.1 fixes will only be available for Enterprise users.
Status in UCS:
- 2018-01-09: Erratum 257 has been announced for UCS 4.2 which updates the Linux Kernel to 4.9.75 and fixes Meltdown CVE-2017-5754
- 2018-01-12: Erratum 491 has been announced for UCS 4.1 which updates the Linux Kernel from 4.1.6 to 4.9.76 and fixes Meltdown CVE-2017-5754.
- 2018-01-29: Erratum 270 has been announced for UCS 4.2 which adds the infrastructure to the gcc C compiler for using “retpoline”. The compiler can be used to mitigate the “Spectre 2” vulnerability by re-compiling susceptible binaries until fixed CPUs or fixed CPU micro code updates are available from the CPU vendors.
- 2018-01-29: Erratum 267 has been announced for UCS 4.2 which updates the Linux Kernel to 4.9.78. This kernel has been built with the new gcc.
- 2018-01-31: Erratum 498 has been announced for UCS 4.1 which updates the backported Linux Kernel to 4.9.78. This kernel has been built with the new gcc.
- 2018-05-09: Erratum 414 has been announced for UCS 4.2 which provides updated microcode released by Intel. Please not that UCS 4.3 systems also pull this package.
- Checking additional microcode updates.
- We are also checking how the Spectre 1 issues can be mitigated.