The following post was authored by Thib Guicherd-Callin, LOCKSS Technical Manager.
The beginning of 2018 is marked by three industry-wide security vulnerabilities affecting major CPU architectures, in turn affecting many operating systems and devices. Commonly nicknamed "Meltdown" and "Spectre" in news reporting, these severe vulnerabilities are specifically:
The "rogue data cache load" vulnerability, CVE-2017-5754, affects primarily Intel processors. The "bounds check bypass" and "branch target injection" vulnerabilities, CVE-2017-5753 and CVE-2017-5715 respectively, affect most major processor architectures, including those of Intel, AMD and ARM. All major operating systems are affected: Windows, MacOS, Linux flavors, BSD flavors, Android, and iOS, including all major Linux distributions such as CentOS, Red Hat Enterprise Linux, Debian, Ubuntu, SUSE, Arch, Mint, and more. Generally speaking, the recommended course of action is to:
Updates to the Linux kernel and intel-microcode (where applicable) packages to mitigate the "rogue data cache load" vulnerability (CVE-2017-5754) are starting to become available for current and recent versions of Linux distributions. Partial fixes to address some aspects of the "bounds check bypass" (CVE-2017-5753) and "branch target injection" (CVE-2017-5715) vulnerabilities are under development, but security researchers warn that comprehensive fixes will be difficult to achieve.
Note that some operating systems have reached end of life (EOL) and will *not* be receiving critical updates, leaving them vulnerable to these and any number of prior vulnerabilities.
The most widespread operating system in the LOCKSS community is CentOS:
For any questions or concerns, please contact us.