ID

VAR-201808-0957

CVE

CVE-2018-3646

TITLE

Intel processors are vulnerable to a speculative execution side-channel attack called L1 Terminal Fault (L1TF)

DESCRIPTION

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. Intel Core Systems with microprocessors contain information disclosure vulnerabilities.Information may be obtained. These attacks are known as L1 Terminal Fault: SGX, L1 Terminal Fault: OS/SMM, and L1 Terminal Fault: VMM. 6.7) - i386, ppc64, s390x, x86_64 3. For the stable distribution (stretch), these problems have been fixed in version 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10. We recommend that you upgrade your xen packages. For the detailed security status of xen please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xen Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlt14mwACgkQEMKTtsN8 Tjb2LhAAokwmlGxyJPC3EGG9aOLKNv23G9OzLLNRm+cy150WAMgBio+bR2CAgkfX qu/ftFPLeKfIRbo9nLBFHQLMKlmDdFzLeicXe7GtnKcAMkt0Wp+rYIj66TMkjrMg 2kJI68ECc5Rqj3fMZ+dgkxSHzhylUGG70mEIBf2D22Y72kkIfc3EzBuu2wxaaOTP t7Q7JkYDv9WV/6gw8Ok2vIrQcq95jtZgDSL1ZHHg6VTukHnXP2SU1rMfRCguTCtc 5JYAgWJ1GWFWt3d6FQnk7SWwJf3pHEVNg0lGpRJdu4qperQ3EhQNeJlGq8adm/Zf QQUT9T6vsU5cefgelIRSLxFZ9bDobxXXNaox3FqB4tslkJLhTRluCvilJpWuNpH5 7S6xti5neGuHORfIkcS1PmOEx2gDkKWTgotiBx04yU3q+/zr0Ob+K2jxZXe4z2uU sqEq8pdjCnkE03cljPbfPeutyucS3xDFpFVoXlRqgRNMdZ7jzVSP6qayt3iQIa/E djVQ2ptHxux5Zapg5Ngr2ASBdyIw+2GLVUKQCeqM+EjMXjRBaJv8DPxWwO4nkC4d eliy9RxErtQpgHIZKHVmTjoRlh/OH4KAdHZT2Y+Gfv1DVA6TL5cPiQ9e0ZunNNaK vtXyOzjNPVPZa+2MEq9FTFIkDsR8Ncl/JCzp0bx5uVaV/ovX0A8=reP+ -----END PGP SIGNATURE----- . Issue date: 2018-08-14 Updated on: 2018-08-14 (Initial Advisory) CVE number: CVE-2018-3646 1. Summary VMware vSphere, Workstation, and Fusion updates enable Hypervisor- Specific Mitigations for L1 Terminal Fault - VMM vulnerability. The mitigations in this advisory are categorized as Hypervisor- Specific Mitigations described by VMware Knowledge Base article 55636. Relevant Products VMware vCenter Server (VC) VMware vSphere ESXi (ESXi) VMware Workstation Pro / Player (WS) VMware Fusion Pro / Fusion (Fusion) 3. Problem Description vCenter Server, ESXi, Workstation, and Fusion updates include Hypervisor-Specific Mitigations for L1 Terminal Fault - VMM. This issue may allow a malicious VM running on a given CPU core to effectively read the hypervisoras or another VMas privileged information that resides sequentially or concurrently in the same coreas L1 Data cache. CVE-2018-3646 has two currently known attack vectors which will be referred to as "Sequential-Context" and "Concurrent-Context." Attack Vector Summary Sequential-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a previous context (hypervisor thread or other VM thread) on either logical processor of a processor core. Concurrent-context attack vector: a malicious VM can potentially infer recently accessed L1 data of a concurrently executing context (hypervisor thread or other VM thread) on the other logical processor of the Hyper-Threading-enabled processor core. Mitigation Summary The Sequential-context attack vector is mitigated by a vSphere update to the product versions listed in table below. This mitigation is dependent on Intel microcode updates (provided in separate ESXi patches for most Intel hardware platforms) also listed in the table below. This mitigation is enabled by default and does not impose a significant performance impact. The Concurrent-context attack vector is mitigated through enablement of a new feature known as the ESXi Side-Channel-Aware Scheduler. This feature may impose a non-trivial performance impact and is not enabled by default. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply Patch Workaround ======= ======= ======= ========= ===================== ========== VC 6.7 Any Important 6.7.0d None VC 6.5 Any Important 6.5u2c None VC 6.0 Any Important 6.0u3h None VC 5.5 Any Important 5.5u3j None ESXi 6.7 Any Important ESXi670-201808401-BG* None ESXi670-201808402-BG** None ESXi670-201808403-BG* None ESXi 6.5 Any Important ESXi650-201808401-BG* None ESXi650-201808402-BG** None ESXi650-201808403-BG* None ESXi 6.0 Any Important ESXi600-201808401-BG* None ESXi600-201808402-BG** None ESXi600-201808403-BG* None ESXi 5.5 Any Important ESXi550-201808401-BG* None ESXi550-201808402-BG** None ESXi550-201808403-BG* None WS 14.x Any Important 14.1.3* None Fusion 10.x Any Important 10.1.3* None *These patches DO NOT mitigate the Concurrent-context attack vector previously described by default. For details on the three-phase vSphere mitigation process please see KB55806 and for the mitigation process for Workstation and Fusion please see KB57138. **These patches include microcode updates required for mitigation of the Sequential-context attack vector. This microcode may also be obtained from your hardware OEM in the form of a BIOS or firmware update. Details on microcode that has been provided by Intel and packaged by VMware is enumerated in the patch KBs found in the Solution section of this document. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter 6.7.0d Downloads: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7 Documentation: https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-670d-release-notes.html vCenter 6.5u2c Downloads: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5 Documentation: https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u2c-release-notes.html vCenter 6.0u3h Downloads: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_0 Documentation: https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3h-release-notes.html vCenter 5.5u3j Downloads: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_5 Documentation: https://docs.vmware.com/en/VMware-vSphere/5.5/rn/vsphere-vcenter-server-55u3j-release-notes.html ESXi 6.7 Downloads: https://my.vmware.com/group/vmware/patch Documentation: ESXi670-201808401-BG (esx-base): https://kb.vmware.com/kb/56537 ESXi670-201808402-BG (microcode): https://kb.vmware.com/kb/56538 ESXi670-201808403-BG (esx-ui):(https://kb.vmware.com/kb/56897 ESXi 6.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: ESXi650-201808401-BG (esx-base): https://kb.vmware.com/kb/56547 ESXi650-201808402-BG (microcode): https://kb.vmware.com/kb/56563 ESXi650-201808403-BG (esx-ui): https://kb.vmware.com/kb/56896 ESXi 6.0 Downloads: https://my.vmware.com/group/vmware/patch Documentation: ESXi600-201808401-BG (esx-base): https://kb.vmware.com/kb/56552 ESXi600-201808402-BG (microcode): https://kb.vmware.com/kb/56553 ESXi600-201808403-BG (esx-ui): https://kb.vmware.com/kb/56895 ESXi 5.5 Downloads: https://my.vmware.com/group/vmware/patch Documentation: ESXi550-201808401-BG (esx-base): https://kb.vmware.com/kb/56557 ESXi550-201808402-BG (microcode): https://kb.vmware.com/kb/56558 ESXi550-201808403-BG (esx-ui): https://kb.vmware.com/kb/56894 VMware Workstation Pro 14.1.3 Downloads: https://www.vmware.com/go/downloadworkstation Documentation: https://docs.vmware.com/en/VMware-Workstation-Pro/index.html VMware Workstation Player 14.1.3 Downloads: https://www.vmware.com/go/downloadplayer Documentation: https://docs.vmware.com/en/VMware-Workstation-Player/index.html VMware Fusion Pro / Fusion 10.1.3 Downloads: https://www.vmware.com/go/downloadfusion Documentation: https://docs.vmware.com/en/VMware-Fusion/index.html 5. Change log 2018-08-14: Initial security advisory in conjunction with vSphere, Workstation, and Fusion updates and patches released on 2018-08-14. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: kernel-rt security and bug fix update Advisory ID: RHSA-2018:2395-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:2395 Issue date: 2018-08-14 CVE Names: CVE-2017-13215 CVE-2018-3620 CVE-2018-3646 CVE-2018-3693 CVE-2018-5390 CVE-2018-7566 CVE-2018-10675 ==================================================================== 1. Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Realtime (v. 7) - noarch, x86_64 Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64 3. Description: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3693) * A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) * kernel: crypto: privilege escalation in skcipher_recvmsg function (CVE-2017-13215) * kernel: mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact (CVE-2018-10675) * kernel: race condition in snd_seq_write() may lead to UAF or OOB access (CVE-2018-7566) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting CVE-2018-3693; and Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390. Bug Fix(es): * The kernel-rt packages have been upgraded to the 3.10.0-862.10.2 source tree, which provides a number of bug fixes over the previous version. (BZ#1594915) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1535173 - CVE-2017-13215 kernel: crypto: privilege escalation in skcipher_recvmsg function 1550142 - CVE-2018-7566 kernel: race condition in snd_seq_write() may lead to UAF or OOB-access 1575065 - CVE-2018-10675 kernel: mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact 1581650 - CVE-2018-3693 Kernel: speculative bounds check bypass store 1585005 - CVE-2018-3646 Kernel: hw: cpu: L1 terminal fault (L1TF) 1594915 - kernel-rt: update to the RHEL7.5.z batch#3 source tree 1601704 - CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack) 6. Package List: Red Hat Enterprise Linux for Real Time for NFV (v. 7): Source: kernel-rt-3.10.0-862.11.6.rt56.819.el7.src.rpm noarch: kernel-rt-doc-3.10.0-862.11.6.rt56.819.el7.noarch.rpm x86_64: kernel-rt-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-debug-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-debug-debuginfo-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-debug-devel-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-debug-kvm-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-debug-kvm-debuginfo-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-debuginfo-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-debuginfo-common-x86_64-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-devel-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-kvm-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-kvm-debuginfo-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-trace-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-trace-debuginfo-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-trace-devel-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-trace-kvm-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-trace-kvm-debuginfo-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm Red Hat Enterprise Linux Realtime (v. 7): Source: kernel-rt-3.10.0-862.11.6.rt56.819.el7.src.rpm noarch: kernel-rt-doc-3.10.0-862.11.6.rt56.819.el7.noarch.rpm x86_64: kernel-rt-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-debug-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-debug-devel-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-devel-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-trace-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm kernel-rt-trace-devel-3.10.0-862.11.6.rt56.819.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-13215 https://access.redhat.com/security/cve/CVE-2018-3620 https://access.redhat.com/security/cve/CVE-2018-3646 https://access.redhat.com/security/cve/CVE-2018-3693 https://access.redhat.com/security/cve/CVE-2018-5390 https://access.redhat.com/security/cve/CVE-2018-7566 https://access.redhat.com/security/cve/CVE-2018-10675 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/vulnerabilities/L1TF 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW3M6LdzjgjWX9erEAQiNxA//Qo+SG7/R3Z3Md7e2rxTQ9InGZkQ0dJPy lmTtQHqPXRHrsqLAt4DR8IMYVnZsKm/T4nqETOz+/eYv300JiaCe6zKmHGXW2nac ZqrrJ86zQkG+4lbdxZkvSCJnS9xV3xm2UBJv6yFwoe7Ndhve73CwGF4/PYtrHA5z zuxPZnuTo2kpGu6VsgesIBajRmsev+qsy8X7kjlrwPVByarw4ClbBU54yI0VPW+H h1zKg0+V4YMjpCENj3fSlOH1nQOgiMSg4sFHDdMYy4SiW422S0S1oMtnFBZOGc5G +TFVTfkkAtGXSppJxGU7+FR8X0Fg0GLWzw9BaRxg5zndV7xutfOZhbRmtbbs+aYF IhUGBiQ+x1m+jTJk7RFkMlAG7U/EYIF9+WOQHt+/a6HeiOGcROqq01l7PdkSkcJk CT3fi/wATGh1AsiLU1707TPCDxT0GoTmbXTve17H9FMWlK+kcEyUickQx5V+R7W/ vOq5d6Cr1ko78o3Pmfrf/fSsy6kcum5VpKTP9JupHxEmQoJfuGGQIm7p2g3o8RDH AamXhxhS1Dfr5RBCXEncANaZCNRaf+D5hFz8dfMmTdAok122F4IN0adiW7XPhtS8 I218KeBjVdlhh7WLdkSIHIqh271H6/pHCERi45amT6CGEl9wQQgmuy29kQSvqNTM tYsRJkrtY8A=DXw+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Intel Core i3 processor, etc. are all CPU (central processing unit) products of Intel Corporation of the United States. Security vulnerabilities exist in several Intel products that use speculative execution and address translation. The following products are affected: Intel Core i3 processor; Intel Core i5 processor; Intel Core i7 processor; Intel Core M processor family; 2nd generation Intel Core processors; 3rd generation Intel Core processors; 4th generation Intel Core processors; 5th generation Intel Core processors, etc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================ FreeBSD-SA-18:09.l1tf Security Advisory The FreeBSD Project Topic: L1 Terminal Fault (L1TF) Kernel Information Disclosure Category: core Module: Kernel Announced: 2018-08-14 Affects: All supported versions of FreeBSD. Corrected: 2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) CVE Name: CVE-2018-3620, CVE-2018-3646 Special Note: Speculative execution vulnerability mitigation remains a work in progress. This advisory addresses the issue in FreeBSD 11.1 and later. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. Background When a program accesses data in memory via a logical address it is translated to a physical address in RAM by the CPU. Accessing an unmapped logical address results in what is known as a terminal fault. II. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods. This issue affects bhyve on FreeBSD/amd64 systems. III. Impact An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc # gpg --verify l1tf-11.2.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc # gpg --verify l1tf-11.1.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details CVE-2018-3620 (L1 Terminal Fault-OS) - ------------------------------------ FreeBSD reserves the the memory page at physical address 0, so it will not contain secret data. FreeBSD zeros the paging data structures for unmapped addresses, so that speculatively executed L1 Terminal Faults will access only the reserved, unused page. The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r337794 releng/11.1/ r337828 releng/11.2/ r337828 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. ========================================================================= Ubuntu Security Notice USN-3741-2 August 14, 2018 linux-lts-xenial, linux-aws vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: Several security issues were fixed in the Linux kernel. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). A remote attacker could use this to cause a denial of service. (CVE-2018-5390) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: linux-image-4.4.0-1027-aws 4.4.0-1027.30 linux-image-4.4.0-133-generic 4.4.0-133.159~14.04.1 linux-image-4.4.0-133-generic-lpae 4.4.0-133.159~14.04.1 linux-image-4.4.0-133-lowlatency 4.4.0-133.159~14.04.1 linux-image-4.4.0-133-powerpc-e500mc 4.4.0-133.159~14.04.1 linux-image-4.4.0-133-powerpc-smp 4.4.0-133.159~14.04.1 linux-image-4.4.0-133-powerpc64-emb 4.4.0-133.159~14.04.1 linux-image-4.4.0-133-powerpc64-smp 4.4.0-133.159~14.04.1 linux-image-aws 4.4.0.1027.27 linux-image-generic-lpae-lts-xenial 4.4.0.133.113 linux-image-generic-lts-xenial 4.4.0.133.113 linux-image-lowlatency-lts-xenial 4.4.0.133.113 linux-image-powerpc-e500mc-lts-xenial 4.4.0.133.113 linux-image-powerpc-smp-lts-xenial 4.4.0.133.113 linux-image-powerpc64-emb-lts-xenial 4.4.0.133.113 linux-image-powerpc64-smp-lts-xenial 4.4.0.133.113 Please note that the recommended mitigation for CVE-2018-3646 involves updating processor microcode in addition to updating the kernel; however, the kernel includes a fallback for processors that have not received microcode updates. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. (CVE-2018-3646) Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. (CVE-2018-3639) Zdenek Sojka, Rudolf Marek, Alex Zuepke, and Innokentiy Sennovskiy discovered that microprocessors that perform speculative reads of system registers may allow unauthorized disclosure of system parameters via a sidechannel attack. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Bugs fixed (https://bugzilla.redhat.com/): 1585005 - CVE-2018-3646 Kernel: hw: cpu: L1 terminal fault (L1TF) 1601849 - CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption 6

AFFECTED PRODUCTS