The following post was authored by Thib Guicherd-Callin, LOCKSS Technical Manager.
- CVE-2017-5754, “rogue data cache load”
- CVE-2017-5753, “bounds check bypass”
- CVE-2017-5715, “branch target injection”
- Monitor your operating system’s security advisories for the initial availability of fixes and subsequent availability of updates
- Apply these updates promptly
- Reboot after updating
Updates to the Linux kernel and intel-microcode (where applicable) packages to mitigate the “rogue data cache load” vulnerability (CVE-2017-5754) are starting to become available for current and recent versions of Linux distributions. Partial fixes to address some aspects of the “bounds check bypass” (CVE-2017-5753) and “branch target injection” (CVE-2017-5715) vulnerabilities are under development, but security researchers warn that comprehensive fixes will be difficult to achieve.
Note that some operating systems have reached end of life (EOL) and will *not* be receiving critical updates, leaving them vulnerable to these and any number of prior vulnerabilities.
- CentOS 7, the most recent version, is receiving full updates and will receive critical kernel updates
- CentOS 6 no longer receives full updates as of May 10, 2017 (https://wiki.centos.org/About/Product) but will receive critical kernel updates as maintenance updates
- CentOS 5 has reached end of life on March 31, 2017 (https://lists.centos.org/pipermail/centos-announce/2017-April/022350.html) and will *not* be receiving critical kernel updates (https://lists.centos.org/pipermail/centos/2018-January/167816.html)
For any questions or concerns, please contact us.
- Technical follow-up by Google: https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
- Discussion by LOCKSS chief scientist emeritus David Rosenthal: http://blog.dshr.org/2018/01/meltdown-spectre.html