Bug 1215278 (CVE-2023-23583)

Summary:	VUL-0: CVE-2023-23583: ucode-intel: Intel CPU can be made to deadlock or privilege escalate
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Marcus Meissner <meissner>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P2 - High	CC:	abergmann, meissner, mhocko, nborisov, security-team, stoyan.manolov
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/378123/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-23583:8.8:(AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Comment 1 Marcus Meissner 2023-09-13 07:26:36 UTC

CRD: 2023-11-14

Comment 2 Marcus Meissner 2023-09-20 08:54:07 UTC

uploaded paper to embargoed gitlab wiki:

https://gitlab.suse.de/security/spec2021/-/wikis/home

Comment 3 Marcus Meissner 2023-09-20 08:56:38 UTC

affected, already fixed:
Raptor Lake
Alder Lake
Sapphire Rapids

affected, not yet fixed, to be fixed Nov 14 2023:

Ice Lake
Tiger Lake
Rocket Lake
ICX-SP
ICX-D

Comment 6 Marcus Meissner 2023-11-14 19:11:23 UTC

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html

is public

Comment 7 Maintenance Automation 2023-11-14 20:30:02 UTC

SUSE-SU-2023:4442-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215278
CVE References: CVE-2023-23583
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): ucode-intel-20231113-128.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): ucode-intel-20231113-128.1
SUSE Linux Enterprise Server 12 SP5 (src): ucode-intel-20231113-128.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Maintenance Automation 2023-11-14 20:30:05 UTC

SUSE-SU-2023:4441-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215278
CVE References: CVE-2023-23583
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ucode-intel-20231113-150100.3.228.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ucode-intel-20231113-150100.3.228.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ucode-intel-20231113-150100.3.228.1
SUSE CaaS Platform 4.0 (src): ucode-intel-20231113-150100.3.228.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Maintenance Automation 2023-11-14 20:30:07 UTC

SUSE-SU-2023:4440-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215278
CVE References: CVE-2023-23583
Sources used:
openSUSE Leap Micro 5.3 (src): ucode-intel-20231113-150200.32.1
openSUSE Leap Micro 5.4 (src): ucode-intel-20231113-150200.32.1
openSUSE Leap 15.4 (src): ucode-intel-20231113-150200.32.1
openSUSE Leap 15.5 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Micro 5.3 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Micro 5.4 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Micro 5.5 (src): ucode-intel-20231113-150200.32.1
Basesystem Module 15-SP4 (src): ucode-intel-20231113-150200.32.1
Basesystem Module 15-SP5 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ucode-intel-20231113-150200.32.1
SUSE Manager Proxy 4.2 (src): ucode-intel-20231113-150200.32.1
SUSE Manager Retail Branch Server 4.2 (src): ucode-intel-20231113-150200.32.1
SUSE Manager Server 4.2 (src): ucode-intel-20231113-150200.32.1
SUSE Enterprise Storage 7.1 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Micro 5.1 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Micro 5.2 (src): ucode-intel-20231113-150200.32.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): ucode-intel-20231113-150200.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 OBSbugzilla Bot 2023-11-15 08:45:04 UTC

This is an autogenerated message for OBS integration:
This bug (1215278) was mentioned in
https://build.opensuse.org/request/show/1126540 Factory / ucode-intel

Comment 11 Marcus Meissner 2023-11-15 09:21:40 UTC

researcher article https://lock.cmpxchg8b.com/reptar.html

Comment 15 Maintenance Automation 2023-11-21 08:30:10 UTC

SUSE-SU-2023:4493-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215278
CVE References: CVE-2023-23583
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): ucode-intel-20231114-131.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): ucode-intel-20231114-131.1
SUSE Linux Enterprise Server 12 SP5 (src): ucode-intel-20231114-131.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2023-11-21 12:30:07 UTC

SUSE-SU-2023:4500-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215278
CVE References: CVE-2023-23583
Sources used:
openSUSE Leap Micro 5.3 (src): ucode-intel-20231114-150200.35.1
openSUSE Leap Micro 5.4 (src): ucode-intel-20231114-150200.35.1
openSUSE Leap 15.4 (src): ucode-intel-20231114-150200.35.1
openSUSE Leap 15.5 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Micro 5.3 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Micro 5.4 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Micro 5.5 (src): ucode-intel-20231114-150200.35.1
Basesystem Module 15-SP4 (src): ucode-intel-20231114-150200.35.1
Basesystem Module 15-SP5 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ucode-intel-20231114-150200.35.1
SUSE Enterprise Storage 7.1 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Micro 5.1 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Micro 5.2 (src): ucode-intel-20231114-150200.35.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): ucode-intel-20231114-150200.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Maintenance Automation 2023-11-21 16:30:05 UTC

SUSE-SU-2023:4510-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1215278
CVE References: CVE-2023-23583
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ucode-intel-20231114-150100.3.231.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ucode-intel-20231114-150100.3.231.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ucode-intel-20231114-150100.3.231.1
SUSE CaaS Platform 4.0 (src): ucode-intel-20231114-150100.3.231.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Marcus Meissner 2024-05-17 12:10:51 UTC

done