Intel和ARM CPU芯片信息泄露漏洞
| CNNVD-ID编号 | CNNVD-201801-152 | CVE编号 | CVE-2017-5715 |
| 发布时间 | 2018-01-04 | 更新时间 | 2020-08-14 |
| 漏洞类型 | 信息泄露 | 漏洞来源 | InTeL,Jann Horn (Google Project Zero) and Paul Kocher in collaboration with, and Yuval Yarom (Univer, Daniel Genkin (University of Pennsylvania and University of Maryland), in alphabetical order, Moritz Lipp (Graz University of Technology), Mike Hamburg (Rambus) |
| 危险等级 | 中危 | 威胁类型 | 本地 |
| 厂商 | intel | ||
漏洞介绍
ARM Cortex-R7等都是英国ARM公司的CPU(中央处理器)产品。Intel Xeon E5-1650等都是美国英特尔(Intel)公司的CPU(中央处理器)产品。
Intel和ARM CPU芯片中存在信息泄露漏洞,该漏洞源于处理器数据边界机制中存在缺陷。本地攻击者可通过滥用‘错误推测执行’利用该漏洞读取内存信息。以下产品和版本受到影响:ARM Cortex-R7;Cortex-R8;Cortex-A8;Cortex-A9;Cortex-A12;Intel Xeon CPU E5-1650 v3,v2,v4版本;Xeon E3-1265l v2,v3,v4版本;Xeon E3-1245 v2,v3,v5,v6版本;Xeon X7542等。
漏洞补丁
目前部分厂商已提供了该漏洞的解决方案,详情请关注厂商安全公告:
Intel:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Amazon:
https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
ARM:
https://developer.arm.com/support/security-update
Google:
https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html
https://www.chromium.org/Home/chromium-security/ssca
Red Hat:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
Xen:
http://xenbits.xen.org/xsa/advisory-254.html
Mozilla:
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
VMware:
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
AMD:
https://www.amd.com/en/corporate/speculative-execution
Linux Kernel:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5aa90a84589282b87666f92b6c3c917c8080a9bf
参考网址
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00003.html
来源:UBUNTU
链接:https://usn.ubuntu.com/3549-1/
来源:UBUNTU
链接:https://usn.ubuntu.com/3597-1/
来源:DEBIAN
链接:https://www.debian.org/security/2018/dsa-4120
来源:CONFIRM
链接:http://nvidia.custhelp.com/app/answers/detail/a_id/4609
来源:CONFIRM
链接:http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt
来源:CERT-VN
链接:https://www.kb.cert.org/vuls/id/180049
来源:MLIST
链接:https://lists.debian.org/debian-lts-announce/2018/09/msg00017.html
来源:SECTRACK
链接:http://www.securitytracker.com/id/1040071
来源:CONFIRM
链接:https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
来源:CONFIRM
链接:https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00009.html
来源:REDHAT
链接:https://access.redhat.com/errata/RHSA-2018:0292
来源:xenbits.xen.org
链接:https://xenbits.xen.org/xsa/advisory-254.html
来源:developer.arm.com
链接:https://developer.arm.com/support/security-update
来源:www.vmware.com
链接:https://www.vmware.com/security/advisories/VMSA-2018-0007.html
来源:www.vmware.com
链接:https://www.vmware.com/security/advisories/VMSA-2018-0004.html
来源:lists.vmware.com
链接:https://lists.vmware.com/pipermail/security-announce/2018/000397.html
来源:chromereleases.googleblog.com
链接:https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-chrome-os_19.html
来源:cert-portal.siemens.com
链接:https://cert-portal.siemens.com/productcert/pdf/ssa-168644.pdf
来源:www.mozilla.org
链接:https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
来源:www.symantec.com
链接:https://www.symantec.com/security-center/network-protection-security-advisories/SA161
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0017
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0016
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0015
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0014
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0013
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0012
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0011
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0010
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0009
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0008
来源:access.redhat.com
链接:https://access.redhat.com/errata/RHSA-2018:0007
来源:googleprojectzero.blogspot.in
链接:https://googleprojectzero.blogspot.in/2018/01/reading-privileged-memory-with-side.html
来源:www.bd.com
来源:www.oracle.com
链接:https://www.oracle.com/technetwork/topics/security/ovmbulletinapr2018-4431088.html
来源:www.oracle.com
链接:https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
来源:www.oracle.com
链接:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
来源:www.oracle.com
链接:http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
来源:blog.mozilla.org
链接:https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
来源:support.microsoft.com
链接:https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates
来源:jvn.jp
链接:https://jvn.jp/vu/JVNVU93823979/index.html
来源:securityadvisories.paloaltonetworks.com
链接:https://securityadvisories.paloaltonetworks.com/Home/Detail/120
来源:ics-cert.us-cert.gov
链接:https://ics-cert.us-cert.gov/alerts/ICS-ALERT-18-011-01E
来源:ics-cert.us-cert.gov
链接:https://ics-cert.us-cert.gov/alerts/ICS-ALERT-18-011-01C
来源:aix.software.ibm.com
链接:http://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc
来源:aix.software.ibm.com
链接:http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc
来源:support.hpe.com
链接:https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us
来源:support.google.com
链接:https://support.google.com/faqs/answer/7622138
来源:access.redhat.com
链接:https://access.redhat.com/security/cve/CVE-2017-5715
来源:tools.cisco.com
来源:bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=1519780
来源:seclists.org
链接:http://seclists.org/bugtraq/2018/Jan/23
来源:seclists.org
链接:http://seclists.org/bugtraq/2018/Jan/22
来源:seclists.org
链接:http://seclists.org/bugtraq/2018/Jan/21
来源:source.android.com
链接:https://source.android.com/security/bulletin/2018-01-01
来源:www.amd.com
链接:https://www.amd.com/en/corporate/speculative-execution
来源:portal.msrc.microsoft.com
链接:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
来源:www.chromium.org
链接:https://www.chromium.org/Home/chromium-security/ssca
来源:support.apple.com
链接:https://support.apple.com/en-us/HT208394
来源:kb.juniper.net
链接:https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842&cat=SIRT_1&actp=LIST
来源:www.kb.cert.org
链接:https://www.kb.cert.org/vuls/id/584653
来源:spectreattack.com
来源:access.redhat.com
链接:https://access.redhat.com/security/vulnerabilities/speculativeexecution
来源:lwn.net
链接:https://lwn.net/Articles/738975/
来源:newsroom.intel.com
链接:https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
来源:www.intel.com
链接:http://www.intel.com/content/www/us/en/homepage.html
来源:www.arm.com
来源:www.amd.com
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00008.html
来源:CERT-VN
链接:http://www.kb.cert.org/vuls/id/584653
来源:UBUNTU
链接:https://usn.ubuntu.com/3561-1/
来源:CONFIRM
链接:https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf
来源:UBUNTU
链接:https://usn.ubuntu.com/3581-2/
来源:UBUNTU
链接:https://usn.ubuntu.com/3580-1/
来源:CONFIRM
链接:https://security.paloaltonetworks.com/CVE-2017-5715
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00002.html
来源:CONFIRM
链接:https://cert.vde.com/en-us/advisories/vde-2018-002
来源:MISC
链接:https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00016.html
来源:CONFIRM
链接:https://cert.vde.com/en-us/advisories/vde-2018-003
来源:CONFIRM
链接:https://support.f5.com/csp/article/K91229003
来源:UBUNTU
链接:https://usn.ubuntu.com/3594-1/
来源:UBUNTU
链接:https://usn.ubuntu.com/3531-1/
来源:MLIST
链接:https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00004.html
来源:MLIST
链接:https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html
来源:FREEBSD
链接:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:03.speculative_execution.asc
来源:UBUNTU
链接:https://usn.ubuntu.com/3620-2/
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00012.html
来源:CONFIRM
链接:http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html
来源:UBUNTU
链接:https://usn.ubuntu.com/3542-2/
来源:UBUNTU
链接:https://usn.ubuntu.com/usn/usn-3516-1/
来源:EXPLOIT-DB
链接:https://www.exploit-db.com/exploits/43427/
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00006.html
来源:CONFIRM
链接:http://xenbits.xen.org/xsa/advisory-254.html
来源:DEBIAN
链接:https://www.debian.org/security/2018/dsa-4188
来源:DEBIAN
链接:https://www.debian.org/security/2018/dsa-4187
来源:CONFIRM
链接:https://security.netapp.com/advisory/ntap-20180104-0001/
来源:CONFIRM
链接:https://support.lenovo.com/us/en/solutions/LEN-18282
来源:MISC
链接:https://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00014.html
来源:MLIST
链接:https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html
来源:CONFIRM
链接:https://www.synology.com/support/security/Synology_SA_18_01
来源:BUGTRAQ
链接:https://seclists.org/bugtraq/2019/Jun/36
来源:CONFIRM
链接:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03871en_us
来源:UBUNTU
链接:https://usn.ubuntu.com/3582-1/
来源:CONFIRM
链接:https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html
来源:UBUNTU
链接:https://usn.ubuntu.com/3541-2/
来源:DEBIAN
链接:https://www.debian.org/security/2018/dsa-4213
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00005.html
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00013.html
来源:BUGTRAQ
链接:https://seclists.org/bugtraq/2019/Nov/16
来源:UBUNTU
链接:https://usn.ubuntu.com/3597-2/
来源:CONFIRM
链接:https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001
来源:CONFIRM
链接:https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
来源:CONFIRM
链接:http://nvidia.custhelp.com/app/answers/detail/a_id/4614
来源:CONFIRM
链接:http://nvidia.custhelp.com/app/answers/detail/a_id/4613
来源:CONFIRM
来源:UBUNTU
链接:https://usn.ubuntu.com/3531-3/
来源:MLIST
链接:https://lists.debian.org/debian-lts-announce/2020/03/msg00025.html
来源:CONFIRM
链接:https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
来源:BID
链接:https://www.securityfocus.com/bid/102376
来源:FREEBSD
链接:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc
来源:UBUNTU
链接:https://usn.ubuntu.com/3777-3/
来源:CONFIRM
链接:http://nvidia.custhelp.com/app/answers/detail/a_id/4611
来源:MISC
链接:https://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html
来源:UBUNTU
链接:https://usn.ubuntu.com/3560-1/
来源:MLIST
链接:https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
来源:UBUNTU
链接:https://usn.ubuntu.com/3582-2/
来源:GENTOO
链接:https://security.gentoo.org/glsa/201810-06
来源:CONFIRM
链接:https://support.citrix.com/article/CTX231399
来源:UBUNTU
链接:https://usn.ubuntu.com/3581-1/
来源:CONFIRM
链接:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
来源:CONFIRM
链接:https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
来源:CONFIRM
链接:http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
来源:UBUNTU
链接:https://usn.ubuntu.com/3540-2/
来源:UBUNTU
链接:https://usn.ubuntu.com/3690-1/
来源:MISC
链接:https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
来源:www.suse.com
链接:https://www.suse.com/support/update/announcement/2019/suse-su-201913999-1.html
来源:support.f5.com
链接:https://support.f5.com/csp/article/K54252492
来源:fortiguard.com
链接:https://fortiguard.com/psirt/FG-IR-18-002
来源:security.freebsd.org
链接:https://security.freebsd.org/advisories/FreeBSD-SA-19:26.mcu.asc
来源:support.symantec.com
链接:http://support.symantec.com/content/unifiedweb/en_US/article.SYMSA1426.html
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.1017/
来源:www.securityfocus.com
链接:https://www.securityfocus.com/bid/102376
来源:source.android.com
链接:https://source.android.com/security/bulletin/2019-09-01
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.2798/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/78154
来源:www.huawei.com
链接:https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20180106-01-cpu-cn
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.1899.2/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.1926/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.4358/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2019.1899/
来源:packetstormsecurity.com
链接:https://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html
受影响实体
Intel Core_i5:3230m Intel Core_i5:3339y Intel Core_i5:3337u Intel Core_i5:3317u Intel Core_i5:3320m信息来源
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201801-152
评论