[Vulnerability notice] Meltdown and Spectre flaws in Intel processors - Security Vulnerability Alerts| Alibaba Cloud Documentation Center

On January 3, 2018, serious security vulnerabilities were exposed in Intel processor chips. These vulnerabilities are caused by some design bugs at the chip hardware layer. Successful exploitation can result in leakage of the operating system’s kernel information, elevated access to system kernel data by applications, and other serious issues. Alibaba Cloud has synced key security information with Intel before the vulnerability disclosure, and continuously verifies remediation program.

See the following for more information about the vulnerability.

CVE identifier

CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

Vulnerability name

Serious chip-level vulnerabilities in Intel processors

Vulnerability rating

High

Vulnerability description

Because of some security bugs during the realization of CPU process chips, low-privilege accesses to applications cannot be correctly distinguished with high-privilege accesses to the kernel. Thus, attackers may bypass the security isolation boundary of memory access, and gain memory data of the operating system and other applications in kernel, which results in greater risk of sensitive information leakage.

Based on the revealed attack details and the aggregate analysis by the Alibaba Cloud Technical team, these vulnerabilities can be exploited by two attack methods: Meltdown and Spectre. The CVE-2017-5754 vulnerability is exploited by Meltdown, and the CVE-2017-5753 and CVE-2017-5715 vulnerabilities are exploited by Spectre.

For more information about the attack methods, see the following articles:

Condition and method of exploitation

Based on the revealed PoC testing result, attackers must gain permissions of local normal account first, and then obtain local sensitive information with higher permissions through privilege escalation. The vulnerabilities can only be exploited under certain conditions.

Affected scope

Since the vulnerabilities exist in Intel x86-64 hardware, all Intel processor chips manufactured after 1995 may be affected. Meanwhile, processors of AMD, Qualcomm, and ARM are also affected.

How to fix or mitigate

Cloud platform

Alibaba Cloud has launched updates on the underlying infrastructures of our cloud platform to fix the vulnerabilities. The updates are applied in batch, and are planned to be completed no later than 24:00:00 (UTC+08:00) on January 19, 2018. As hot upgrades are performed for these updates, customer’s business on the cloud platform remains unaffected.

Tenant

To avoid risks of the vulnerabilities, you have to apply hotfixes for your systems on the cloud platform. Alibaba Cloud continuously updates the official release status of hotfixes for major operating systems, and fixes official operating system images at first.

Hotfixes release status (Until January 10, 2018)

Operating system	Version	Architecture	Affected	Official hotfix status	Image status	Image source status	Official security notice	How to fix
Microsoft Windows Server	2008 R2	i386/x64	Yes	Released	Not fixed	Not updated	Hotfixes have been released for all versions, except for Windows Server 2008. For more information, see Microsoft official notice.	Open Windows Update, and click Check for updates. Download and install relevant security hotfixes. Restart your server after the installation, and check the operation status of your system. You can also download and install the hotfixes manually to fix the vulnerabilities: Windows Server Version 1709:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056892 Window Server 2016:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056890 Windows Server 2012 R2:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056898 Windows Server 2008 R2:https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056897 Restart your system after the installation, and then the hotfixes take into effects. Note: Before the hotfix installation, we strongly recommend that you perform relevant testing, and create the data backup or snapshot.
	2012 R2	x64	Yes	Released	Not fixed	Not updated
	2016 R2	x64	Yes	Released	Not fixed	Not updated
	Version 1709	x64	Yes	Released	Not fixed	Not updated
Aliyun Linux	All versions	x64	Yes	Not released	Not fixed	Not updated	Alibaba Cloud has released official notice.	Unavailable
CentOS	All versions	x64	Yes	Released	Not fixed	Updated	https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/errata/RHSA-2018:0007 https://access.redhat.com/errata/RHSA-2018:0008	Run the `yum update kernel` command with the root account to update your system. Restart your system. Verify the updated version: rhel 6 : kernel >= 2.6.32-696.18.7.el6 rhel 7 : kernel >= 3.10.0-693.11.6.el7 Note: Before the hotfix installation, we strongly recommend that you perform relevant testing, and create the data backup or snapshot.
Redhat	el6 el7	x64	Yes	Released	Not fixed	Updated
Ubuntu	All versions	i386/x64	Yes	Hotfix released to fix CVE-2017-5754	Not fixed	Not updated	https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html	Run the following command to update your system: Update list: `apt-get update` Upgrade: `apt-get upgrade` Restart your system. Note: Before the hotfix installation, we strongly recommend that you perform relevant testing, and create the data backup or snapshot.
Debain	All versions	i386/x64	Yes	Hotfix released to fix CVE-2017-5754	Not fixed	Not updated	https://security-tracker.debian.org/tracker/CVE-2017-5754 https://security-tracker.debian.org/tracker/CVE-2017-5753 https://security-tracker.debian.org/tracker/CVE-2017-5715
SUSE Linux Enterprise Server	12.2 11.4	x64	Yes	Partial hotfixes released	Not fixed	Updated	https://www.suse.com/security/cve/CVE-2017-5754/ https://www.suse.com/security/cve/CVE-2017-5753/ https://www.suse.com/security/cve/CVE-2017-5715/	Run the `zypper refresh && zypper patch` command with the root account to update your system. Restart your system. Note: Before the hotfix installation, we strongly recommend that you perform relevant testing, and create the data backup or snapshot.
Open SUSE	All versions	x64	Yes	Not released	Not fixed	Not updated	https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html
CoreOS	All versions	x64	Yes	Not released	Not fixed	Not updated	No official notice released	Unavailable
Gentoo	All versions	x64	Yes	Not released	Not fixed	Not updated	https://archives.gentoo.org/gentoo-user/message/11050085e72a8a05aa84e10a89ce3498	Unavailable
FreeBSD	All versions	x64	Yes	Not released	Not fixed	Not updated	No official notice released	Unavailable

Note: For more information about released versions of operating systems provided by ECS, see How to select a system image.

Since most manufactures still haven’t released hotfixes, we strongly recommend that you apply security hardening and protection measures according to our security best practices to reduce the risk of vulnerabilities exploitation by attackers. For more information, see Security Deployment GuideSecurity Deployment Guide.
Currently, certain performance degradation in Linux is evidenced after the vulnerabilities are fixed. The vulnerabilities can be exploited only through local privilege escalation to obtain sensitive information. Thus, considering the stability of business, you can decide yourself whether to apply the hotfixes to fix the vulnerabilities. We strongly recommend that you perform relevant testing and create the data backup or snapshot before you apply the hotfixes on your server.

References

[1]. Attack details revealed by Google
[2]. Security notice released by US CERT
[3]. Official notice released by Intel
[4]. Brief analysis of the vulnerabilities
[5]. Detailed analysis of the vulnerabilities