Last Modified:
Nothing groundbreaking here, I am just collating advisories and press releases from vendors as I find them that relate to the recently disclosed issues regarding speculative execution side-channel vulnerabilities. This is also being referred to as Spectre (variants 1 & 2) and Meltdown (variant 3). If you have any additions/corrections, please let me know in the comments, and I’ll update this post.
Disclaimer: This is my personal blog & post. This post is not an official statement or communication from Microsoft. For Microsoft’s official guidance, please see the links in the “Microsoft” section below.
Table of Contents
Research
Vendor | Info | Article |
Blog | https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html | |
GPZ Blog | https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html | |
GPZ Bugtracker | https://bugs.chromium.org/p/project-zero/issues/detail?id=1272 | |
More Details | https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html | |
Researchers | Meltdown | https://meltdownattack.com/ |
Researchers | Spectre | https://spectreattack.com/ |
Microsoft
Advisories & Communications
CPU Makers
Hardware OEMs
Client OEMs
Vendor | Info | Article |
HP | Security Advisory | https://support.hp.com/document/c05869091 |
Dell | Security Advisory | www.dell.com/support/meltdown-spectre |
Lenovo | Security Advisory | https://support.lenovo.com/us/en/solutions/len-18282 |
Asus | Security Advisory | https://www.asus.com/News/YQ3Cr4OYKdZTwnQK |
Acer | https://us.answers.acer.com/app/answers/detail/a_id/53104 | |
VAIO | https://solutions.vaio.com/3316 | |
Samsung | Pending | |
Fujitsu | http://www.fujitsu.com/global/support/products/software/security/products-f/jvn-93823979e.html | |
LG | Pending | |
Panasonic | https://pc-dl.panasonic.co.jp/itn/vuln/g18-001.html | |
Toshiba | https://support.toshiba.com/support/viewContentDetail?contentId=4015952 | |
Huawei | Pending | |
Xiaomi | Pending |
Server OEMs
Vendor | Info | Article |
HPE | Security Advisory | http://h22208.www2.hpe.com/eginfolib/securityalerts/SCAM/Side_Channel_Analysis_Method.html |
Dell | Security Advisory | http://www.dell.com/support/article/us/en/04/sln308588/ |
Lenovo | Security Advisory | https://support.lenovo.com/us/en/solutions/len-18282 |
Huawei | Security Advisory | http://www.huawei.com/au/psirt/security-notices/huawei-sn-20180104-01-intel-en |
Fujitsu | Security Advisory | http://www.fujitsu.com/global/support/products/software/security/products-f/jvn-93823979e.html |
Cisco | Security Advisory | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel |
IBM | Blog | https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/ |
Other OEMs
Vendor | Info | Article |
F5 | Security Advisory | https://support.f5.com/csp/article/K91229003 |
Fortinet | Security Advisory | https://fortiguard.com/psirt/FG-IR-18-002 |
Juniper | Security Advisory | https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842&actp=METADATA |
NetApp | Security Advisory | https://security.netapp.com/advisory/ntap-20180104-0001/ |
Raspberry Pi | Blog | https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/ |
Cloud Providers
Virtualization
Vendor | Info | Article |
Citrix | https://support.citrix.com/article/CTX231399 | |
VMWare | https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html | |
Xen | Advisory | https://xenbits.xen.org/xsa/advisory-254.html |
Xen | FAQ | https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/ |
Operating Systems
Browsers
Vendor | Info | Article |
Google Chrome | Security Info | https://www.chromium.org/Home/chromium-security/ssca |
Mozilla Firefox | Blog | https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ |
Apple Safari | Security Info | https://support.apple.com/en-us/HT208403 |
WebKit | Rendering Engine Info | https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/ |
Mobile Devices
Vendor | Info | Article |
Android | https://source.android.com/security/bulletin/2018-01-01 | |
Apple | iOS 11.2.2 | https://support.apple.com/en-us/HT208401 |
Databases
Vendor | Article |
Postgresql | https://www.postgresql.org/message-id/[email protected] |
Oracle | Pending |
MySQL | Pending |
Antivirus
(Hat tip to Kevin Beaumont: https://twitter.com/GossiTheDog/status/948889660780175360 (Direct GDocs Link: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true))
SaaS
Vendor | Article |
Salesforce | https://help.salesforce.com/articleView?id=Spectre-and-Meltdown-Vulnerabilities&language=en_US&type=1 |
1Password | https://blog.agilebits.com/2018/01/04/same-as-it-ever-was-theres-no-reason-to-melt-down/ |
Dropbox | Pending |
BoxHQ | Pending |
Other
Vendor | Info | Article |
LLVM | http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20180101/513630.html | |
MITRE | CVE-2017-5715 | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715 |
MITRE | CVE-2017-5753 | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753 |
MITRE | CVE-2017-5754 | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754 |
CERTS
Benchmarks & Performance Impacts
Benchmark Tests
Vendor | Info | Article |
Phoronix | VM Performance Showing Mixed Impact with Linux 4.15 KPTI Patches | https://www.phoronix.com/scan.php?page=article&item=linux-kpti-kvm&num=1 |
Phoronix | Initial Benchmarks of the Performance Impact Resulting From Linux’s x86 Security Changes | https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=1 |
Phoronix | Further Analyzing The Intel CPU “x86 PTI Issue” on More Systems | https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1 |
Discussion on Benchmarking | https://www.reddit.com/r/Amd/comments/7o0m37/requesting_benchmarks_on_amd_processors_before/ | |
TechSpot | Testing Windows 10 Performance Before and After the Meltdown Flaw Emergency Patch | https://www.techspot.com/article/1554-meltdown-flaw-cpu-performance-windows/ |
OSX Reverser | Measuring OS X Meltdown Patches Performance | https://reverse.put.as/2018/01/07/measuring-osx-meltdown-patches-performance/ |
Vendor Performance Assessments
Vendor | Info | Article |
RedHat | Performance Impacts – Describing the performance impacts to security patches | https://access.redhat.com/articles/3307751 |
Protecting our Google Cloud customers from new vulnerabilities without impacting performance | https://www.blog.google/topics/google-cloud/protecting-our-google-cloud-customers-new-vulnerabilities-without-impacting-performance/ |
Thanks so much for putting this together! One minor thing I noticed, though: Your VMware link is to VMSA-2018-0001, when it should be pointing at VMSA-2018-0002.
Just fixed it… thanks!
Thank you for the curated content.
Thanks for putting this together, Chris. Nice work!
[…] https://chrisam.net/2018/01/04/speculative-execution-side-channel-vulnerabilities-vendor-published-i… […]
Would you consider adding a link to Wind River’s disclosure page? It is at https://www.windriver.com/security/announcements/meltdown-spectre/ .
Thanks! I’ve added it to the “Other” section – not sure where it fits better.
We are an operating system vendor (Wind River Linux, VxWorks and others), so under OS might be better. Thanks, though!
Thanks for the clarification – I’ve moved it to the OS section.
FARGO, N.D. (AP) – An accused prolific hitman for a Mexican drug cartel has been transferred to face federal
charges in North Dakota, nearly 11 years after he
was apprehended in Tijuana. Juan Francisco Sillas-Rocha appeared
Friday in Fargo on three charges, including conspiracy to commit murder for a continuing criminal enterprise.
Authorities said Sillas-Rocha was a top lieutenant for the Arellano Felix cartel, which for decades smuggled cocaine, marijuana and other drugs into the United States. Sillas-Rocha, known as “Ruedas,” or “Wheels,” had been fighting extradition to the United
States, where federal officials in North Dakota began gathering incriminating evidence on the Felix cartel after one of its members killed a man over a drug debt.
Sillas-Rocha once boasted to authorities he killed up to 30 people a month during the gang´s prime in Tijuana,
according to a detective in North Dakota. The Felix cartel was a longtime competitor of the Sinaloa cartel led by notorious drug kingpin Joaquin “El Chapo” Guzman. It’s not clear
what led Mexican authorities to turn over Sillas-Rocha to
U.S.
officials. Christopher Myers, the federal prosecutor on the case, declined to comment Tuesday.
Attorney Matthew Lombard, who represented Sillas-Rocha
in his first appearance, did not return phone messages left by The Associated Press. The case wound up in North Dakota after Jorge “Sneaky” Arandas, a
member of the Felix cartel, ordered the killing of a man for failing to pay for five pounds of methamphetamine that came from Sillas-Rocha, court documents show.
Arandas told police he feared that he would be killed for not paying Sillas-Rocha,
so Arandas had someone shoot the man nine times. No plea has
been filed and no further court proceedings have been scheduled.
Nikolayevsk Russia (https://research.ece.cmu.edu/coram//lib/exe/fetch.php?media=https://xporno.cfd)
Но для этого нужно соответствовать
всем заявленным требованиям.
Look at my homepage – продвижение сайта английский
Хотелось бы выразить благодарность Арюне за продуктивную и высококачественную работу, быструю
обратную связь и высокую продвижение сайта за рубежоминтересованность в
результате.
Vertical and Venetian wooden blinds wooden venetian blinds blinds (musescore.com) are sought right after by numerous Filipinos for their
elegance and ease of use.
С большой вероятностью можно сказать, что ваши затраты
в ближайшем времени окупятся за счет увеличения конверсии, а
значит, продаж и обращений в компанию.
My web-site :: Seo продвижение в сша
смотри здесь (https://musescore.com/user/57793108)
studio, Remeron si e dimostrato efficace nel mantenere la pazienti depressivo maggiore fino a 40 8-12
read the article https://www.openhumans.org/dreamyid/