cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
[cv-announce-l] L1 Terminal Fault (L1TF) or Foreshadow (CVE-2018-3620/CVE-2018-3646)
Chronological Thread
- From: Andrew K Adams <akadams@psc.edu>
- To: cv-announce@trustedci.org
- Cc: "Andrew K. Adams" <akadams@psc.edu>
- Subject: [cv-announce-l] L1 Terminal Fault (L1TF) or Foreshadow (CVE-2018-3620/CVE-2018-3646)
- Date: Wed, 15 Aug 2018 15:38:54 -0400
CI Operators:
The L1 Terminal Fault (L1TF) [1] or Foreshadow (as called by some) is a vulnerability on Intel processors similar to Meltdown [2] that exploits memory operations, specifically, during a “terminal fault” which signals to the CPU that a page table is invalid. A malicious actor (e.g., a user on a system reading data on the physical system, or a guest OS or container accessing information from other guests or the host) can leverage the vulnerability to circumvent security controls ordinarily imposed and managed by the operating system or hypervisor to gain access to data within the L1 memory cache.
Note that existing mitigations for Meltdown are *not* sufficient to protect against this new vulnerability.
Impact:
Privileged memory space can accessed, exposing sensitive information. Patches for these vulnerabilities are expected to affect CPU performance.
Recommendation:
We recommend operators of virtualized (host and guest) or containerized workloads apply the patches (updated kernels, virtualization components, and cpu microcode) as soon as possible. VMware has provided additional mitigations which can be performed after applying patches. [3] Please note that it is expected that these updates may affect CPU performance. If possible you may which to benchmark your systems prior to updates to determine potential performance issues.
Affected Systems:
* RHEL 5, 6 & 7
References:
[1] https://www.intel.com/content/www/us/en/architecture-and-technology/l1tf.html
[2] https://access.redhat.com/security/cve/cve-2017-5754
[3] https://kb.vmware.com/s/article/55806
[4] https://arstechnica.com/?post_type=post&p=1358223
[6] https://access.redhat.com/security/vulnerabilities/L1TF
[7] https://access.redhat.com/security/cve/cve-2018-3620
[8] https://access.redhat.com/security/cve/cve-2018-3646
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI (formerly CTSC) can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
- [cv-announce-l] L1 Terminal Fault (L1TF) or Foreshadow (CVE-2018-3620/CVE-2018-3646), Andrew K Adams, 08/15/2018
Archive powered by MHonArc 2.6.24.