Intel和ARM CPU芯片信息泄露漏洞

CNNVD-ID编号	CNNVD-201801-152	CVE编号	CVE-2017-5715
发布时间	2018-01-04	更新时间	2020-08-14
漏洞类型	信息泄露	漏洞来源	InTeL,Jann Horn (Google Project Zero) and Paul Kocher in collaboration with, and Yuval Yarom (Univer, Daniel Genkin (University of Pennsylvania and University of Maryland), in alphabetical order, Moritz Lipp (Graz University of Technology), Mike Hamburg (Rambus)
危险等级	中危	威胁类型	本地
厂商	intel

漏洞介绍

ARM Cortex-R7等都是英国ARM公司的CPU（中央处理器）产品。Intel Xeon E5-1650等都是美国英特尔（Intel）公司的CPU（中央处理器）产品。

Intel和ARM CPU芯片中存在信息泄露漏洞，该漏洞源于处理器数据边界机制中存在缺陷。本地攻击者可通过滥用‘错误推测执行’利用该漏洞读取内存信息。以下产品和版本受到影响：ARM Cortex-R7；Cortex-R8；Cortex-A8；Cortex-A9；Cortex-A12；Intel Xeon CPU E5-1650 v3，v2，v4版本；Xeon E3-1265l v2，v3，v4版本；Xeon E3-1245 v2，v3，v5，v6版本；Xeon X7542等。

漏洞补丁

目前部分厂商已提供了该漏洞的解决方案，详情请关注厂商安全公告：

Intel:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Microsoft:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Amazon:

https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

ARM:

https://developer.arm.com/support/security-update

Google:

https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html

https://www.chromium.org/Home/chromium-security/ssca

Red Hat:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

Xen:

http://xenbits.xen.org/xsa/advisory-254.html

Mozilla:

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

VMware:

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

AMD:

https://www.amd.com/en/corporate/speculative-execution

Linux Kernel:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5aa90a84589282b87666f92b6c3c917c8080a9bf

参考网址

来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00003.html
来源:UBUNTU

链接：https://usn.ubuntu.com/3549-1/
来源:UBUNTU

链接：https://usn.ubuntu.com/3597-1/
来源:DEBIAN

链接：https://www.debian.org/security/2018/dsa-4120
来源:CONFIRM

链接：http://nvidia.custhelp.com/app/answers/detail/a_id/4609
来源:CONFIRM

链接：http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt
来源:CERT-VN

链接：https://www.kb.cert.org/vuls/id/180049
来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2018/09/msg00017.html
来源:SECTRACK

链接：http://www.securitytracker.com/id/1040071
来源:CONFIRM

链接：https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
来源:CONFIRM

链接：https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00009.html
来源:REDHAT

链接：https://access.redhat.com/errata/RHSA-2018:0292
来源:xenbits.xen.org

链接：https://xenbits.xen.org/xsa/advisory-254.html
来源:developer.arm.com

链接：https://developer.arm.com/support/security-update
来源:www.vmware.com

链接：https://www.vmware.com/security/advisories/VMSA-2018-0007.html
来源:www.vmware.com

链接：https://www.vmware.com/security/advisories/VMSA-2018-0004.html
来源:lists.vmware.com

链接：https://lists.vmware.com/pipermail/security-announce/2018/000397.html
来源:chromereleases.googleblog.com

链接：https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-chrome-os_19.html
来源:cert-portal.siemens.com

链接：https://cert-portal.siemens.com/productcert/pdf/ssa-168644.pdf
来源:www.mozilla.org

链接：https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
来源:www.symantec.com

链接：https://www.symantec.com/security-center/network-protection-security-advisories/SA161
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0017
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0016
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0015
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0014
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0013
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0012
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0011
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0010
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0009
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0008
来源:access.redhat.com

链接：https://access.redhat.com/errata/RHSA-2018:0007
来源:googleprojectzero.blogspot.in

链接：https://googleprojectzero.blogspot.in/2018/01/reading-privileged-memory-with-side.html
来源:www.bd.com

链接：http://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletin-for-meltdown-and-spectre-update-1
来源:www.oracle.com

链接：https://www.oracle.com/technetwork/topics/security/ovmbulletinapr2018-4431088.html
来源:www.oracle.com

链接：https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
来源:www.oracle.com

链接：https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
来源:www.oracle.com

链接：http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
来源:blog.mozilla.org

链接：https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
来源:support.microsoft.com

链接：https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates
来源:jvn.jp

链接：https://jvn.jp/vu/JVNVU93823979/index.html
来源:securityadvisories.paloaltonetworks.com

链接：https://securityadvisories.paloaltonetworks.com/Home/Detail/120
来源:ics-cert.us-cert.gov

链接：https://ics-cert.us-cert.gov/alerts/ICS-ALERT-18-011-01E
来源:ics-cert.us-cert.gov

链接：https://ics-cert.us-cert.gov/alerts/ICS-ALERT-18-011-01C
来源:aix.software.ibm.com

链接：http://aix.software.ibm.com/aix/efixes/security/spectre_update_advisory.asc
来源:aix.software.ibm.com

链接：http://aix.software.ibm.com/aix/efixes/security/spectre_meltdown_advisory.asc
来源:support.hpe.com

链接：https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us
来源:support.google.com

链接：https://support.google.com/faqs/answer/7622138
来源:access.redhat.com

链接：https://access.redhat.com/security/cve/CVE-2017-5715
来源:tools.cisco.com

链接：https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
来源:bugzilla.redhat.com

链接：https://bugzilla.redhat.com/show_bug.cgi?id=1519780
来源:seclists.org

链接：http://seclists.org/bugtraq/2018/Jan/23
来源:seclists.org

链接：http://seclists.org/bugtraq/2018/Jan/22
来源:seclists.org

链接：http://seclists.org/bugtraq/2018/Jan/21
来源:source.android.com

链接：https://source.android.com/security/bulletin/2018-01-01
来源:www.amd.com

链接：https://www.amd.com/en/corporate/speculative-execution
来源:portal.msrc.microsoft.com

链接：https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
来源:www.chromium.org

链接：https://www.chromium.org/Home/chromium-security/ssca
来源:support.apple.com

链接：https://support.apple.com/en-us/HT208394
来源:kb.juniper.net

链接：https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842&cat=SIRT_1&actp=LIST
来源:www.kb.cert.org

链接：https://www.kb.cert.org/vuls/id/584653
来源:spectreattack.com

链接：https://spectreattack.com/
来源:access.redhat.com

链接：https://access.redhat.com/security/vulnerabilities/speculativeexecution
来源:lwn.net

链接：https://lwn.net/Articles/738975/
来源:newsroom.intel.com

链接：https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
来源:www.intel.com

链接：http://www.intel.com/content/www/us/en/homepage.html
来源:www.arm.com

链接：https://www.arm.com/
来源:www.amd.com

链接：http://www.amd.com/en-gb
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00008.html
来源:CERT-VN

链接：http://www.kb.cert.org/vuls/id/584653
来源:UBUNTU

链接：https://usn.ubuntu.com/3561-1/
来源:CONFIRM

链接：https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf
来源:UBUNTU

链接：https://usn.ubuntu.com/3581-2/
来源:UBUNTU

链接：https://usn.ubuntu.com/3580-1/
来源:CONFIRM

链接：https://security.paloaltonetworks.com/CVE-2017-5715
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00002.html
来源:CONFIRM

链接：https://cert.vde.com/en-us/advisories/vde-2018-002
来源:MISC

链接：https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00016.html
来源:CONFIRM

链接：https://cert.vde.com/en-us/advisories/vde-2018-003
来源:CONFIRM

链接：https://support.f5.com/csp/article/K91229003
来源:UBUNTU

链接：https://usn.ubuntu.com/3594-1/
来源:UBUNTU

链接：https://usn.ubuntu.com/3531-1/
来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00004.html
来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html
来源:FREEBSD

链接：https://security.FreeBSD.org/advisories/FreeBSD-SA-18:03.speculative_execution.asc
来源:UBUNTU

链接：https://usn.ubuntu.com/3620-2/
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00012.html
来源:CONFIRM

链接：http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html
来源:UBUNTU

链接：https://usn.ubuntu.com/3542-2/
来源:UBUNTU

链接：https://usn.ubuntu.com/usn/usn-3516-1/
来源:EXPLOIT-DB

链接：https://www.exploit-db.com/exploits/43427/
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00006.html
来源:CONFIRM

链接：http://xenbits.xen.org/xsa/advisory-254.html
来源:DEBIAN

链接：https://www.debian.org/security/2018/dsa-4188
来源:DEBIAN

链接：https://www.debian.org/security/2018/dsa-4187
来源:CONFIRM

链接：https://security.netapp.com/advisory/ntap-20180104-0001/
来源:CONFIRM

链接：https://support.lenovo.com/us/en/solutions/LEN-18282
来源:MISC

链接：https://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00014.html
来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html
来源:CONFIRM

链接：https://www.synology.com/support/security/Synology_SA_18_01
来源:BUGTRAQ

链接：https://seclists.org/bugtraq/2019/Jun/36
来源:CONFIRM

链接：https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03871en_us
来源:UBUNTU

链接：https://usn.ubuntu.com/3582-1/
来源:CONFIRM

链接：https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html
来源:UBUNTU

链接：https://usn.ubuntu.com/3541-2/
来源:DEBIAN

链接：https://www.debian.org/security/2018/dsa-4213
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00005.html
来源:SUSE

链接：http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00013.html
来源:BUGTRAQ

链接：https://seclists.org/bugtraq/2019/Nov/16
来源:UBUNTU

链接：https://usn.ubuntu.com/3597-2/
来源:CONFIRM

链接：https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001
来源:CONFIRM

链接：https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
来源:CONFIRM

链接：http://nvidia.custhelp.com/app/answers/detail/a_id/4614
来源:CONFIRM

链接：http://nvidia.custhelp.com/app/answers/detail/a_id/4613
来源:CONFIRM

链接：https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes
来源:UBUNTU

链接：https://usn.ubuntu.com/3531-3/
来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2020/03/msg00025.html
来源:CONFIRM

链接：https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
来源:BID

链接：https://www.securityfocus.com/bid/102376
来源:FREEBSD

链接：https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc
来源:UBUNTU

链接：https://usn.ubuntu.com/3777-3/
来源:CONFIRM

链接：http://nvidia.custhelp.com/app/answers/detail/a_id/4611
来源:MISC

链接：https://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html
来源:UBUNTU

链接：https://usn.ubuntu.com/3560-1/
来源:MLIST

链接：https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
来源:UBUNTU

链接：https://usn.ubuntu.com/3582-2/
来源:GENTOO

链接：https://security.gentoo.org/glsa/201810-06
来源:CONFIRM

链接：https://support.citrix.com/article/CTX231399
来源:UBUNTU

链接：https://usn.ubuntu.com/3581-1/
来源:CONFIRM

链接：http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
来源:CONFIRM

链接：https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
来源:CONFIRM

链接：http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
来源:UBUNTU

链接：https://usn.ubuntu.com/3540-2/
来源:UBUNTU

链接：https://usn.ubuntu.com/3690-1/
来源:MISC

链接：https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
来源:www.suse.com

链接：https://www.suse.com/support/update/announcement/2019/suse-su-201913999-1.html
来源:support.f5.com

链接：https://support.f5.com/csp/article/K54252492
来源:fortiguard.com

链接：https://fortiguard.com/psirt/FG-IR-18-002
来源:security.freebsd.org

链接：https://security.freebsd.org/advisories/FreeBSD-SA-19:26.mcu.asc
来源:support.symantec.com

链接：http://support.symantec.com/content/unifiedweb/en_US/article.SYMSA1426.html
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.1017/
来源:www.securityfocus.com

链接：https://www.securityfocus.com/bid/102376
来源:source.android.com

链接：https://source.android.com/security/bulletin/2019-09-01
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.2798/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/78154
来源:www.huawei.com

链接：https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20180106-01-cpu-cn
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2019.1899.2/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2019.1926/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2019.4358/
来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2019.1899/
来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html

受影响实体

信息来源

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201801-152

Intel和ARM CPU芯片信息泄露漏洞

漏洞介绍

漏洞补丁

参考网址

受影响实体

信息来源

查询漏洞

相关漏洞

支持服务

云学院

合作与生态

Intel和ARM CPU芯片信息泄露漏洞

漏洞介绍

漏洞补丁

参考网址

受影响实体

信息来源

查询漏洞

相关漏洞