Your submission was sent successfully! Close

CVE-2017-5715

Published: 03 January 2018

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

From the Ubuntu security team

Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory.

Priority

High

CVSS 3 base score: 5.6

Status

Package Release Status
amd64-microcode
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.20180524.1~ubuntu0.18.04.1)
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (57.0.4)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (59.0.1+build1-0ubuntu1)
intel-microcode
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.20180108.1)
libvirt
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.0.0-1ubuntu1)
linux
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.13.0-32.35)
Patches:
Introduced by 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Fixed by 76b043848fd22dbf7f8bf3a1452f8c70d557b860|local-2017-5715-intel
linux-armadaxp
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

This package is not directly supported by the Ubuntu Security Team
linux-aws
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1001.1)
linux-azure
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1002.2)
linux-azure-edge
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.18.0-1003.3~18.04.1)
linux-euclid
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-flo
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-gcp
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1001.1)
linux-gke
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-goldfish
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-grouper
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-hwe
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

linux-hwe-edge
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.18.0-11.12~18.04.1)
linux-kvm
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1002.2)
linux-linaro-omap
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-linaro-shared
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-linaro-vexpress
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-quantal
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

This package is not directly supported by the Ubuntu Security Team
linux-lts-raring
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-saucy
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

This package is not directly supported by the Ubuntu Security Team
linux-lts-trusty
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-utopic
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-vivid
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-wily
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-lts-xenial
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-maguro
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-mako
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-manta
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-oem
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1002.3)
linux-qcm-msm
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

linux-raspi2
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.15.0-1006.7)
linux-snapdragon
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

linux-ti-omap4
Launchpad, Ubuntu, Debian
Upstream
Released (4.15~rc8)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

qemu
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:2.11+dfsg-1ubuntu2)
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

webkit2gtk
Launchpad, Ubuntu, Debian
Upstream
Released (2.18.5)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2.18.6-1)

Notes

AuthorNote
tyhicks
Variant 2, aka "Spectre"
mdeslaur
intel-microcode updates were reverted in usn-3531-2
tyhicks
The break-fix lines for this CVE are not complete since a large
number of patches are required to mitigate this issue. The commit(s) listed
are chosen as placeholders for automated CVE triage purposes.
leosilva
Due to the lack of recent CPU models in qemu and the lack of
microcode early-loading support in the precise kernel, we do not
plan on backporting support for the new flag to QEMU and libvirt
at this time.

References