Potential CPU security issue with IBM System x, Flex and BladeCenter Systems
IBM is aware of side-channel vulnerabilities impacting microprocessors referred to as Spectre/Meltdown (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) disclosed in January and additional variants CVE-2018-3639, CVE-2018-3640 disclosed on May 21st and CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 disclosed August 14th. The IBM Unified Extensible Firmware Interface (UEFI) on System x, Flex and BladeCenter systems is affected by CVE-2017-5715, CVE-2018-3639 and CVE-2018-3640. While UEFI is not affected by Spectre variant 1 (CVE-2017-5753) nor Meltdown (CVE-2017-5754), other elements of the identified systems are susceptible to those vulnerabilities and for patches to address those vulnerabilities we are dependent on our hardware vendor partners.
Security vulnerabilities that allow unauthorized users to bypass the hardware barrier between applications and kernel memory have been made public. These vulnerabilities all make use of speculative execution to perform side-channel information disclosure attacks. The vulnerabilities are all variants of the same class of attacks but differ in the way that speculative execution is exploited.
The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715, collectively known as Spectre, allow user level code to infer data from unauthorized memory; the third vulnerability, CVE-2017-5754, known as Meltdown, allows user level code to infer the contents of kernel memory.
Additionally disclosed vulnerabilities CVE-2018-3639, referred to as variant 4 (Speculative Store Bypass), CVE-2018-3640, referred to variant 3a (Rogue System Register Read), and CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 collectively referred to as Level 1 Terminal Fault (L1TF) are in the same family of side-channel attacks.
Spectre variants 2 (CVE-2017-5715), 4 (CVE-2018-3639) and 3a (CVE-2018-3640) affect Unified Extensible Firmware Interface (UEFI) on the System x, Flex and BladeCenter systems listed below. Fixes for L1TF vulnerabilities are included with the Intel update for Spectre variants 4 and 3a.
UEFI is not affected by Spectre variant 1 (CVE-2017-5753) nor Meltdown (CVE-2017-5754). We are dependent on our hardware vendor partners for patches to Spectre variant 1 and Meltdown.
IBM is working with the vendor partners to incorporate microprocessor fixes as they become available. Additional information will be provided through IBM Security Bulletins. As UEFI fixes become available they will be provided on Fix Central.
This system list is subject to change depending on fix availability from the vendor.
Depending on your system and applications additional Operating System patches may be required. See the Related information section below for details.
|BladeCenter HS23 7875/1929|
|BladeCenter HS23E 8038/8039|
|BladeCenter HX5 7872/1909
BladeCenter HX5 1910/7873 refresh
|Flex System x220 2585/7906|
|Flex System x222 7916|
|Flex System x240 7863/8737/8738/8956|
|Flex System x280 x6 4259
Flex System x480 x6, x880 X6 7903
|Flex System x440 7917|
|System x NeXtScale nx360 M4 5455|
|System x iDataPlex dx360 M4 7912/7913|
|System x3100 M4 2582
System x3250 M4 2583
|System x3100 M5 5457|
|System x3250 M5 5458|
|System x3300 M4 7382|
|System x3500 M4 7383|
|System x3550 M4 7914|
|System x3630 M4 7158
System x3530 M4 7160
|System x3650 M4 7915
System x3650 M4 HD 5460
|System x3650 M4 BD 5466|
|System x3690 X5 7147/7148/7149/7192|
|System x3750 M4 8722/8733
System x3750 M4 8752/8718
|System x3850 X5 7143/7145/7146/7191
System x3950 X5 7143/7145/7146/7191
|System x3850 x6 3837
System x3950 x6 3839
Related informationIBM PSIRT Blog - Potential CPU Security Issue
IBM Security Vulnerability Management (PSIRT)
IBM Security Bulletins
IBM Security Bulletin - UEFI fixes for CVE-2017-5715
IBM Security Bulletin - UEFI fixes for CVE-2018-3639 and CVE-2018-3640
Subscribe to IBM Security Bulletin notification
IBM Fix Central
MITRE: Spectre Variant 2 CVE-2017-5715
Intel: Q2 2018 Speculative Execution Side Channel Updat
Intel: Side-Channel Analysis Facts and Intel Products
Intel: Microcode Revision Guidance
Lenovo: Speculative Execution Side Channel Variants 4 a
Lenovo: L1 Terminal Fault Side Channel Vulnerabilities
Lenovo: Reading Privileged Memory with a Side Channel
Microsoft: ADV180002 | Guidance to mitigate speculative
Microsoft: Windows Server guidance to protect against s
Redhat: Kernel Side-Channel Attacks - CVE-2017-5754 CVE
SUSE: Meltdown and Spectre side channel attacks against
Ubuntu: SpectreAndMeltdown - Information leak via specu
VMWare: Response to Speculative Execution security issu
|System x Blades||UEFI||Firmware||All Versions|
|PureFlex System & Flex System||UEFI||Firmware||All Versions|
More support for:
Version: All Versions
Operating system(s): Firmware
Reference #: T1026905
Modified date: 15 August 2018