Bug 1087083 - (CVE-2018-3640) VUL-0: CVE-2018-3640: V3a - Rogue Register Load
(CVE-2018-3640)
VUL-0: CVE-2018-3640: V3a - Rogue Register Load
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2018-3640:7.1:(AV:L/...
:
Depends on:
Blocks: 1087078
  Show dependency treegraph
 
Reported: 2018-03-27 13:21 UTC by Marcus Meissner
Modified: 2020-08-09 02:47 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2018-03-28 15:38:27 UTC
• 7.1 High CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Comment 2 Marcus Meissner 2018-05-02 07:06:04 UTC
Also:
CRD: 2018-05-21

I think.
Comment 3 Marcus Meissner 2018-05-21 21:23:55 UTC
this will be fixed via microcode updates only.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as Variant 3a

    Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.
    4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Comment 4 liu yu 2018-05-30 01:38:56 UTC
Does this vulnerability affect sles12sp2, and what does unsupported mean for sles12sp2?
Comment 5 Marcus Meissner 2018-05-30 06:37:42 UTC
This is a CPU processor side channel issue, there is no affectedness relation on Operating System versions.

We will be releasing ucode-intel updates for all our supported Operating Systems versions.
Comment 8 Swamp Workflow Management 2018-07-05 07:50:12 UTC
This is an autogenerated message for OBS integration:
This bug (1087083) was mentioned in
https://build.opensuse.org/request/show/620721 Factory / ucode-intel
Comment 9 Swamp Workflow Management 2018-07-05 13:40:13 UTC
This is an autogenerated message for OBS integration:
This bug (1087083) was mentioned in
https://build.opensuse.org/request/show/621150 42.3 / ucode-intel
Comment 10 Swamp Workflow Management 2018-07-06 19:09:04 UTC
openSUSE-SU-2018:1904-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
openSUSE Leap 42.3 (src):    ucode-intel-20180703-25.1
openSUSE Leap 15.0 (src):    ucode-intel-20180703-lp150.2.4.1
Comment 12 Swamp Workflow Management 2018-07-11 19:09:38 UTC
SUSE-SU-2018:1926-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    ucode-intel-20180703-3.3.1
Comment 13 Swamp Workflow Management 2018-07-12 10:11:48 UTC
SUSE-SU-2018:1935-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1087082,1087083,1096141,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
SUSE OpenStack Cloud 7 (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server 12-SP3 (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Server 12-LTSS (src):    ucode-intel-20180703-13.25.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ucode-intel-20180703-13.25.1
SUSE Enterprise Storage 4 (src):    ucode-intel-20180703-13.25.1
Comment 14 Swamp Workflow Management 2018-07-26 19:17:36 UTC
SUSE-SU-2018:2076-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    microcode_ctl-1.17-102.83.24.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    microcode_ctl-1.17-102.83.24.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    microcode_ctl-1.17-102.83.24.1
Comment 16 Swamp Workflow Management 2018-08-08 15:30:15 UTC
This is an autogenerated message for OBS integration:
This bug (1087083) was mentioned in
https://build.opensuse.org/request/show/628148 Factory / ucode-intel
Comment 19 Swamp Workflow Management 2018-08-09 07:30:17 UTC
This is an autogenerated message for OBS integration:
This bug (1087083) was mentioned in
https://build.opensuse.org/request/show/628335 42.3 / ucode-intel
Comment 20 Marcus Meissner 2018-08-15 12:13:21 UTC
this is covered by ongoing microcode updates from Intel.
Comment 21 Swamp Workflow Management 2018-08-15 16:08:45 UTC
SUSE-SU-2018:2331-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
SUSE OpenStack Cloud 7 (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server 12-SP3 (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Server 12-LTSS (src):    ucode-intel-20180807-13.29.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    ucode-intel-20180807-13.29.1
SUSE Enterprise Storage 4 (src):    ucode-intel-20180807-13.29.1
SUSE CaaS Platform 3.0 (src):    ucode-intel-20180807-13.29.1
Comment 22 Swamp Workflow Management 2018-08-16 07:09:53 UTC
SUSE-SU-2018:2335-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    microcode_ctl-1.17-102.83.27.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    microcode_ctl-1.17-102.83.27.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    microcode_ctl-1.17-102.83.27.1
Comment 23 Swamp Workflow Management 2018-08-16 07:11:56 UTC
SUSE-SU-2018:2338-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    ucode-intel-20180807-3.6.1
Comment 24 Swamp Workflow Management 2018-08-17 10:11:22 UTC
openSUSE-SU-2018:2399-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
openSUSE Leap 42.3 (src):    ucode-intel-20180807-28.1
openSUSE Leap 15.0 (src):    ucode-intel-20180807-lp150.2.7.1
Comment 25 Swamp Workflow Management 2018-08-30 15:58:15 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-09-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64128
Comment 27 Swamp Workflow Management 2018-10-18 16:15:26 UTC
SUSE-SU-2018:1935-2: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1087082,1087083,1096141,1100147
CVE References: CVE-2018-3639,CVE-2018-3640
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ucode-intel-20180703-13.25.1
Comment 28 Swamp Workflow Management 2018-10-18 17:20:05 UTC
SUSE-SU-2018:2331-2: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1087082,1087083,1089343,1104134
CVE References: CVE-2018-3639,CVE-2018-3640,CVE-2018-3646
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ucode-intel-20180807-13.29.1