Meltdown and Spectre - Modern CPU Vulnerabilities
Cumulus Networks released patches that fix these vulnerabilities. For information on how to apply the patches, read this article.
CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. The following organizations describe these attacks in detail:
- CERT/CC’s Vulnerability Note VU#584653.
- The United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre.
- Google Project Zero (link is external).
- Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz). They refer to the Linux kernel mitigations for this vulnerability as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.
The Common Vulnerabilities and Exposures formally associated with Meltdown and Spectre are:
- CVE-2017-5753: Bounds check bypass (Spectre)
- CVE-2017-5715: Branch target injection (Spectre)
- CVE-2017-5754: Rogue data cache load (Meltdown)
To exploit these vulnerabilities in Cumulus Linux, an attacker needs to have local access to the system.