Bug 1087083 – VUL-0: CVE-2018-3640: V3a - Rogue Register Load

Bug 1087083 - (CVE-2018-3640) VUL-0: CVE-2018-3640: V3a - Rogue Register Load

(CVE-2018-3640)
Summary:	VUL-0: CVE-2018-3640: V3a - Rogue Register Load

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3:SUSE:CVE-2018-3640:7.1:(AV:L/...
Keywords:

Depends on:
Blocks:	1087078
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-03-27 13:21 UTC by Marcus Meissner
Modified:	2020-08-09 02:47 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Marcus Meissner 2018-03-28 15:38:27 UTC

• 7.1 High CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Comment 2 Marcus Meissner 2018-05-02 07:06:04 UTC

Also:
CRD: 2018-05-21

I think.

Comment 3 Marcus Meissner 2018-05-21 21:23:55 UTC

this will be fixed via microcode updates only.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as Variant 3a

    Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.
    4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Comment 4 liu yu 2018-05-30 01:38:56 UTC

Does this vulnerability affect sles12sp2, and what does unsupported mean for sles12sp2?

Comment 5 Marcus Meissner 2018-05-30 06:37:42 UTC

This is a CPU processor side channel issue, there is no affectedness relation on Operating System versions.

We will be releasing ucode-intel updates for all our supported Operating Systems versions.

Comment 8 Swamp Workflow Management 2018-07-05 07:50:12 UTC

This is an autogenerated message for OBS integration:
This bug (1087083) was mentioned in
https://build.opensuse.org/request/show/620721 Factory / ucode-intel

Comment 9 Swamp Workflow Management 2018-07-05 13:40:13 UTC

This is an autogenerated message for OBS integration:
This bug (1087083) was mentioned in
https://build.opensuse.org/request/show/621150 42.3 / ucode-intel

Comment 10 Swamp Workflow Management 2018-07-06 19:09:04 UTC

openSUSE-SU-2018:1904-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
openSUSE Leap 42.3 (src):    ucode-intel-20180703-25.1
openSUSE Leap 15.0 (src):    ucode-intel-20180703-lp150.2.4.1

Comment 12 Swamp Workflow Management 2018-07-11 19:09:38 UTC

SUSE-SU-2018:1926-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    ucode-intel-20180703-3.3.1

Comment 13 Swamp Workflow Management 2018-07-12 10:11:48 UTC

SUSE-SU-2018:1935-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1087082,1087083,1096141,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
SUSE OpenStack Cloud 7 (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server 12-SP3 (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server 12-LTSS (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ucode-intel-20180703-13.25.1
SUSE Enterprise Storage 4 (src):    ucode-intel-20180703-13.25.1

Comment 14 Swamp Workflow Management 2018-07-26 19:17:36 UTC

SUSE-SU-2018:2076-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    microcode_ctl-1.17-102.83.24.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    microcode_ctl-1.17-102.83.24.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    microcode_ctl-1.17-102.83.24.1

Comment 16 Swamp Workflow Management 2018-08-08 15:30:15 UTC

This is an autogenerated message for OBS integration:
This bug (1087083) was mentioned in
https://build.opensuse.org/request/show/628148 Factory / ucode-intel

Comment 19 Swamp Workflow Management 2018-08-09 07:30:17 UTC

This is an autogenerated message for OBS integration:
This bug (1087083) was mentioned in
https://build.opensuse.org/request/show/628335 42.3 / ucode-intel

Comment 20 Marcus Meissner 2018-08-15 12:13:21 UTC

this is covered by ongoing microcode updates from Intel.

Comment 21 Swamp Workflow Management 2018-08-15 16:08:45 UTC

SUSE-SU-2018:2331-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
SUSE OpenStack Cloud 7 (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server 12-SP3 (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server 12-LTSS (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ucode-intel-20180807-13.29.1
SUSE Enterprise Storage 4 (src):    ucode-intel-20180807-13.29.1
SUSE CaaS Platform 3.0 (src):    ucode-intel-20180807-13.29.1

Comment 22 Swamp Workflow Management 2018-08-16 07:09:53 UTC

SUSE-SU-2018:2335-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    microcode_ctl-1.17-102.83.27.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    microcode_ctl-1.17-102.83.27.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    microcode_ctl-1.17-102.83.27.1

Comment 23 Swamp Workflow Management 2018-08-16 07:11:56 UTC

SUSE-SU-2018:2338-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    ucode-intel-20180807-3.6.1

Comment 24 Swamp Workflow Management 2018-08-17 10:11:22 UTC

openSUSE-SU-2018:2399-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
openSUSE Leap 42.3 (src):    ucode-intel-20180807-28.1
openSUSE Leap 15.0 (src):    ucode-intel-20180807-lp150.2.7.1

Comment 25 Swamp Workflow Management 2018-08-30 15:58:15 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-09-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64128

Comment 27 Swamp Workflow Management 2018-10-18 16:15:26 UTC

SUSE-SU-2018:1935-2: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1087082,1087083,1096141,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ucode-intel-20180703-13.25.1

Comment 28 Swamp Workflow Management 2018-10-18 17:20:05 UTC

SUSE-SU-2018:2331-2: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ucode-intel-20180807-13.29.1