Multiple Vendor CPUs Side-Channel Vulnerabilities (Spectre Variant 3a, 4)
Original Issue Date: May 23, 2018
Severity Rating: Medium
Microprocessor implementations of:
List of affected models/platforms are mentioned in respective vendor advisories.
Two vulnerabilities have been reported in various vendor CPUs which could be exploited by a local attacker to bypass security restrictions and obtain sensitive information from the targeted system.
Two vulnerabilities exist due to improper implementation of speculative execution of instructions on the CPU architecture. A local attacker could exploit these vulnerabilities by executing a specially crafted code on the affected device and performing side-channel attacks on the targeted system.
Successful exploitation of these vulnerabilities could allow the attacker to gain access to sensitive information, including accessing CPU cache contents or read older memory values in stack or other memory locations.
Note: These vulnerabilities are being referred to as "Spectre variant 3a" (CVE-2018-3640) and "Spectre variant 4" (CVE-2018-3639).
- Refer to respective hardware and software vendors for patches or microcode,
- Use a test environment to verify each patch before implementing, and
- Ensure that performance is monitored for critical applications and services.
- Consult with vendors and service providers to mitigate any degradation effects, if possible.
- Consult with Cloud Service Providers to mitigate and resolve any impacts resulting from host operating system patching and mandatory rebooting, if applicable.
Google Project Zero
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003