Note: This issue was announced on the Cumulus Networks security announcement mailing list on January 4, 2018.
CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. These attacks are described in detail by CERT/CC's Vulnerability Note VU#584653, the United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre, Google Project Zero (link is external), and the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.
The Common Vulnerabilities and Exposures formally associated with Meltdown and Spectre are:
- CVE-2017-5753: Bounds check bypass (Spectre)
- CVE-2017-5715: Branch target injection (Spectre)
- CVE-2017-5754: Rogue data cache load (Meltdown)
To exploit these vulnerabilities in Cumulus Linux, an attacker needs to have local access to the system.
Cumulus Networks is evaluating, porting, and testing patches to Cumulus Linux. Cumulus will release software updates as soon as they become available, and we will announce any updates on the cumulus-security-announce mailing list. At this point, the performance impact of the fixes is unclear; the extent of the impact depends on the operating system, the nature of the fix and the workload of the system.