Mitigation in LOCKSS Systems of Recently Disclosed Microprocessor Vulnerabilities
The beginning of 2018 is marked by three industry-wide security vulnerabilities affecting major CPU architectures, in turn affecting many operating systems and devices. Commonly nicknamed "Meltdown" and "Spectre" in news reporting, these severe vulnerabilities are specifically:
- CVE-2017-5754, "rogue data cache load" (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754)
- CVE-2017-5753, "bounds check bypass" (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753)
- CVE-2017-5715, "branch target injection" (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715)
The "rogue data cache load" vulnerability, CVE-2017-5754, affects primarily Intel processors. The "bounds check bypass" and "branch target injection" vulnerabilities, CVE-2017-5753 and CVE-2017-5715 respectively, affect most major processor architectures, including those of Intel, AMD and ARM. All major operating systems are affected: Windows, MacOS, Linux flavors, BSD flavors, Android, and iOS, including all major Linux distributions such as CentOS, Red Hat Enterprise Linux, Debian, Ubuntu, SUSE, Arch, Mint, and more. Generally speaking, the recommended course of action is to:
- Monitor your operating system's security advisories for the initial availability of fixes and subsequent availability of updates
- Apply these updates promptly
- Reboot after updating
Updates to the Linux kernel and intel-microcode (where applicable) packages to mitigate the "rogue data cache load" vulnerability (CVE-2017-5754) are starting to become available for current and recent versions of Linux distributions. Partial fixes to address some aspects of the "bounds check bypass" (CVE-2017-5753) and "branch target injection" (CVE-2017-5715) vulnerabilities are under development, but security researchers warn that comprehensive fixes will be difficult to achieve.
Note that some operating systems have reached end of life (EOL) and will *not* be receiving critical updates, leaving them vulnerable to these and any number of prior vulnerabilities.
The most widespread operating system in the LOCKSS community is CentOS:
- CentOS 7, the most recent version, is receiving full updates and will receive critical kernel updates
- CentOS 6 no longer receives full updates as of May 10, 2017 (https://wiki.centos.org/About/Product) but will receive critical kernel updates as maintenance updates
- CentOS 5 has reached end of life on March 31, 2017 (https://lists.centos.org/pipermail/centos-announce/2017-April/022350.html) and will *not* be receiving critical kernel updates (https://lists.centos.org/pipermail/centos/2018-January/167816.html)
For any questions or concerns, please contact us.
- Technical follow-up by Google: https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
- Discussion by LOCKSS Chief Scientist Emeritus David Rosenthal: http://blog.dshr.org/2018/01/meltdown-spectre.html