cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
[cv-announce-l] Microarchitectural Data Sampling (CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, CVE-2019-11091)
Chronological Thread
- From: Andrew K Adams <akadams@psc.edu>
- To: cv-announce@trustedci.org
- Cc: "Andrew K. Adams" <akadams@psc.edu>
- Subject: [cv-announce-l] Microarchitectural Data Sampling (CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, CVE-2019-11091)
- Date: Thu, 16 May 2019 14:47:52 -0400
- Authentication-results: external-relay.indiana.edu; spf=PermError smtp.pra=akadams@psc.edu; spf=SoftFail smtp.mailfrom=akadams@psc.edu; spf=None smtp.helo=postmaster@relay6-d.mail.gandi.net
- Ironport-phdr: 9a23:XSHJlxPCOgbj/GD1C4Il6mtUPXoX/o7sNwtQ0KIMzox0IvT/rarrMEGX3/hxlliBBdydt6sdzbOO6+u5AzdIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfK5+IA+roQnNqsUajpZuJrg/xxDUvnZGZuNayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnDVhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0jioMKiU0+3/LhMNukK1boQqhpx1hzI7SfIGVL+d1cqfEcd8HWWZNQsNdWipcCY2+coQPFfIMMulYoYfzpFUAsAWwChW3Cez11jNFnGX70bEm3+kjFwzNwQwuH8gJsHTRtNj4KKESXv2vzKbWwzTIcvZY0irh5YfVaB8hpOqMVq93fMXLykkgDR7KgU+VqYz+JD6Vzv8NvHSB4+V+SO2vlncqpgdsqTahwccsj5PGhoMTyl3c7yV23ps6Jd2iR05ne9KrDJxQtySCO4RqWsMiXntkuCggxb0HvZ63ZC0Kx4k8xxHFd/yHb5KH7Q7gVOaKOzt3mHVleLenixau60ig1/b8VtWq31lXsiVFk8PAtncX1xzc7MWMV/hz/l+51DqRygze6PtILEIomabBNpIswbA9moAOvUnHHSL6gFv6gLOSe0k++eWl6/7rbqv7qpKeLYN5iwHzP6IzkcKlG+s4KBIBX22D9OS8yrLj+Ur5Ta1QjvIolqnWqpDbKMUCqqGkGQNV15ws6xe7Dzu839QXh38HI09EeB6diYjmJU3OLOj5Dfe5nVusjC9my+7bMrDjGJnALGTPnK38cbt+5UNQ0hc/wNRc6p5MD7EOOvPzWkv/tNzCCR85NhS5zPzkCNpny4wRQ2ePArSCPaPKql+H+vgjLPeRa48IoDr9MeQq5+byjX8lnl8QZbWm3YUOZH+iGPRmJUKZYWfqgtgdD2gGpw4+QffuiF2DSj5Te2y+X6Mh5j0hFo2pEJrDFciRh+mKwmKyGJtRe2ZNB3iQC2rza4iIUPZKbzidceF7lTlRfL6tUYI+nTLmnQPzzqEveuPX8yERsInLzMN+oeDfiEdhpnRPE82B3jTVHClPlWQSSmpzhfgn+xYv40qf0aV+n/1THMBS4PUMaAohKJrA1LUkVoL/Sh7MZNGATBO8T9GvEHcwSN4wytkHJUtxBobqlQjNihKnGbo4jaaMHtQv977EmWDrLpN0yH/K3aw6p0E9SY1COXD1zrVn+V3oAIDVvUyYk+6xcLgEmivE9WON122L6UhbWQJ5VL7tRWsUIEbasIex/VvMGpmpD7lvKQ5d0YiCJ69NP8XulklDTez/Nc72eW+1knbuQBrOw7qNaMzlcmMR3WPbBVRdyVIp8H2LNBYzCmKam0yCXGM8LV/1Zm726+5k4DO2XlM51QeDawh72r6861gUg/CdQvUamL8IpXVpoDxyGlGhurCeQ9GHvRBsd7lYcJs85ktKz3rDuhA1JZGmI614zlcDbwR6uV/v3BRrG81Bl8YttnYj0At1L+qWylREElHQlZz3P7TWLCH18limaKfa01TF+M6N8eEC5Ol541TvsQe1F1Yzpm192oowsTPU7ZHLAQwOFJPpBxxuqF4l//eDMnJ7vtKEhhgOeeGuvzTP2swkHr4o2gqtZdFWNOaeGQv7AosbAcSvIeoj3VWlc0FhXqga+agqMsehb/bD1rSsObMqlTGvgW1C+6hlyUnK+iZhAL2Az9MezveU0xHSHT7/hVuot9vfgZtPIzweAyDsrEqsTJ4Ubap0c4ERDG6oKMDi3dRyianmXHtA/UKiDVcLi4e5PACfZFvn0UhMxFwa9Da5zDCgwWYyy3t6y8jXlDyL2enpcwALf3JGVHU3x0m5OpC61ZZCG1CyZkAshFOk/RqonvIL4v0vdS+LBx8PJnaTTSkqU7Ps5OPTOYgWsMpu6H4GFrz7OwzSS6aj8UFCi3qxQmYOlmJ8LGvP2N2xnhpxjH+RISREt2LXP853whjb6ZrXQvsZ3zwNQDR0hGvaXF21ed+k4Z2CnpPH+LnkBVisXZBSbyTniLi4mnfrvj9RBhOjsfmynpWnHBgm3DX93t0vTyjMpQe6Y4/n1q28OKRqclQ6TFP77sN7HMl5nO5SzNkZ2nEWj5CO1WIcmiH+PcgT2Lm2bXwGQT8NztKd/A+t3kp/Zn6E3IP2UHyBz4M7Pob8PTtQg3JmqZkbWML2pPRNhmNtr0C9rB7NbPQ1hTobxfY0qTYbj+wPpAsx33CYC7EWE1NfOH+J9VzA5NS/oaNLIWe3JOLpiwwhxZb4XOrE+1AMCxObMt84ECR979tyKgfBwGH+8IftfJzKYNYap1uVlRvBhu5cbp89i6lv52IvNGTjsHki0+N+gwZp2MTwtYuOJ2xo54qhGRUeOzHoLZBb6nT2gKBSk9zDlYmsF5loHy4jRIDjC/+kDXhB0JavfxbLGzo6pHCBHLPZFgLK80ZqoUXEFJWzPm2WLn0Unp1yAQOQL0tFjEUITS03y9QnQxuyypWrIyIbrngBo0T1oRxWxqd0OgnjBy3B8RywZG58TYjXLQIKvFgYtwGMYZbYtqQrWHgGm//p5A2Vdj7CNl4OVDlQHBXfVha7eePyrdjYrbrCXrLnfabDMefc7rcEMpXAjZOp2Y978zveAd6XMD9tCPo03kcFVnd8U8XfkDESRyFFmnjIZoidqQv07CRzqormqqbRVQni5JWCB/5pCfs0oEDkp6CFOqbQiTZlJCxe35dJ33LMwalZ3Vgeiihofn+gHalS/SjKBLndnKNaFXt5I2t6KddI4qQg3wJMJd+Ti9X70aR9h+I0DFENXELom8Wgb8gHa2+nM1aPCEGOPbWAbTrFpqO/Kbu7UqFVhf5IugeYozufGl69ezjFkjDoU1agOOdAjWedMQAf8ICxfxBxCHTyGdLrbhroVb0/xTYywLAymjbLLTtGaGc6LBsL9+3Lq3oJ0qYaeSQJ9HduIOialjzM4vnEJ4wQuP8uGClwnvMc4XI2yrJT5WdJSOEm/Uma5tNovVyilfGCjzR9Vx8b4D9IjY6CuF5KIb7SsJRMRDyXmXBFpXXVEBkMq9Z/X5f3vLtMz9HUiK/pAC1P99vFo44QQc3dKcbBP3MnPRuvHjPIRlhgL3bjJSTUgEpTl+uX/3ueo80hq5Tir5EJT6dSSF0/Ev5DVxZVWecaKZIyZQsK1L6WiMlSuCikoR3YVZsfstbCX/OWR/rmLjqYy79Je0lQmOKqHcEoLoT+nndaRBx/lYXOFVDXWIEfujZqKAI4vRcWqSQsfigIw0vgLziVzjoLD/flzAYtgU1zbfl/qjo=
CI Operators:
Four vulnerabilities, CVE-2018-12130, CVE-2018-12126, CVE-2018-12127 and CVE-2019-11091, collectively referred to as Microarchitecural Data Sampling (MDS), affect Intel CPUs [1][2][3][4][5][6][7]. MDS allows side-channel attacks that leverage speculative operation in hardware. CVE-2018-12130 has been assigned a severity of ‘important’, while the other three ‘moderate.’
Note: two attacks, RIDL and Fallout [1], have been developed to show how MDS can be exploited.
Impact:
A local, malicious actor could bypass memory security mechanisms in order to gain read access to privileged memory. Containers are considered ‘local.’
Affected Software:
All O/S that run on many Intel CPUs and utilize speculative execution.
Recommendation:
These issues affect many modern Intel microprocessors. They require updates to the Linux kernel, virtualization stack, and CPU microcode. We recommend you patch during the next maintenance cycle, when patches are made available.
RedHat, Debian & Ubuntu have released patches.
References:
[3] https://access.redhat.com/security/cve/cve-2018-12130
[4] https://access.redhat.com/security/cve/cve-2018-12126
[5] https://access.redhat.com/security/cve/cve-2018-12127
[6] https://access.redhat.com/security/cve/cve-2019-11091
[7] https://access.redhat.com/security/vulnerabilities/mds
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
- [cv-announce-l] Microarchitectural Data Sampling (CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, CVE-2019-11091), Andrew K Adams, 05/16/2019
Archive powered by MHonArc 2.6.24.