Status of Meltdown, Spectre and Foreshadow/L1TF security issues in UCS

ucs-4-2
kernel
security
ucs-4-3
meltdown
spectre
foreshadow
l1tf

#1

Meltdown, Spectre and Foreshadow/L1TF are critical vulnerabilities existing in several modern CPUs. Due to these security vulnerabilities, unauthorized users may gain access to supposedly protected memory areas. These problems affect most CPUs made by Intel, but also by AMD and ARM, regardless of the operating system in use.

So far, there are the following known variants of this issue:

  • Spectre variant 1: bounds check bypass CVE-2017-5753
  • Spectre variant 2: branch target injection CVE-2017-5715
  • Meltdown (variant 3): rogue data cache load CVE-2017-5754
  • Spectre variant 3a: Rogue System Register Read CVE-2018-3640
    • Expected: Microcode Update
  • Spectre variant 4: Speculative Store Bypass CVE-2018-3639
    • Expected: Microcode Update, QEMU update, libvirt Update, OpenJDK, Kernel, Browser Update
  • Spectre variant 5: not yet disclosed
  • Spectre variant 6: not yet disclosed
  • Spectre variant 7: not yet disclosed
  • Spectre variant 8: not yet disclosed
  • L1 Terminal Fault (L1TF) variant SGX: CVE-2018-3615 for Intel Software Guard Extensions (Intel SGX)
    • This issue does not affect UCS. See the references below to find information from Intel for L1TF mitigations for Intel SGX.
  • L1 Terminal Fault (L1TF) variant OS/SMM: CVE-2018-3620 for operating systems and System Management Mode (SMM)
    • Expected: Kernel Update
  • L1 Terminal Fault (L1TF) variant VMM: CVE-2018-3646 for impacts on virtualization / hypervisors
    • Expected: Kernel Update, Microcode Update

We highly recommend to install the latest errata updates which have been released by Univention. If you still use an outdated version of UCS like UCS 1, UCS 2 or UCS 3, please upgrade. We will only release updates for UCS 4.2-4+ and UCS 4.3-1.

Status in UCS:

  • 2018-01-09: Erratum 257 has been announced for UCS 4.2 which updates the Linux Kernel to 4.9.75 and fixes Meltdown CVE-2017-5754
  • 2018-01-12: Erratum 491 has been announced for UCS 4.1 which updates the Linux Kernel from 4.1.6 to 4.9.76 and fixes Meltdown CVE-2017-5754.
  • 2018-01-29: Erratum 270 has been announced for UCS 4.2 which adds the infrastructure to the gcc C compiler for using “retpoline”. The compiler can be used to mitigate the “Spectre 2” vulnerability by re-compiling susceptible binaries until fixed CPUs or fixed CPU micro code updates are available from the CPU vendors.
  • 2018-01-29: Erratum 267 has been announced for UCS 4.2 which updates the Linux Kernel to 4.9.78. This kernel has been built with the new gcc.
  • 2018-01-31: Erratum 498 has been announced for UCS 4.1 which updates the backported Linux Kernel to 4.9.78. This kernel has been built with the new gcc.
  • 2018-05-09: Erratum 414 has been announced for UCS 4.2 which provides updated microcode released by Intel. Please not that UCS 4.3 systems also pull this package.
  • 2018-08-22:
    • Erratum 494 has been announced for UCS 4.2 which updates the Linux Kernel to 4.9.122, addressing L1TF (CVE-2018-3620, CVE-2018-3646) and other security issues.
    • Erratum 204 has been announced for UCS 4.3 which provides updated microcode released by AMD, addressing CVE-2017-5715.
    • Erratum 205 has been announced for UCS 4.3 which provides updated microcode released by Intel, addressing CVE-2018-3639 and CVE-2018-3640.
    • Erratum 206 has been announced for UCS 4.3 which updates the Linux Kernel to 4.9.110, addressing L1TF (CVE-2018-3620, CVE-2018-3646) and other security issues.
  • 2018-08-29:
    • Erratum 498 has been announced for UCS 4.2 which provides updated microcode released by Intel, addressing Spectre Variant 3a (CVE-2018-3640), Spectre Variant 4 (CVE-2018-3639) and Foreshadow/L1TF (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646)
    • Erratum 219 has been announced for UCS 4.3 which provides updated microcode released by Intel, addressing Spectre Variant 3a (CVE-2018-3640), Spectre Variant 4 (CVE-2018-3639) and Foreshadow/L1TF (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646)

Next steps:

  • Checking additional microcode updates.
  • We are also checking how the Spectre 1 issues can be mitigated.

Further information: