USN-3522-4: Linux kernel (Xenial HWE) regression
Severity
Critical
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 14.04
Description
USN-3522-2 fixed a vulnerability in the Linux Hardware Enablement kernel for Ubuntu 14.04 LTS to address Meltdown (CVE-2017-5754). Unfortunately, that update introduced a regression where a few systems failed to boot successfully. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory.
Affected Cloud Foundry Products and Versions
Severity is critical unless otherwise noted.
- Cloud Foundry BOSH stemcells are vulnerable, including:
- 3312.x versions prior to 3312.49
- 3363.x versions prior to 3363.45
- 3421.x versions prior to 3421.35
- 3445.x versions prior to 3445.21
- 3468.x versions prior to 3468.16
- All other stemcells not listed.
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- The Cloud Foundry project recommends upgrading the following BOSH stemcells:
- Upgrade 3312.x versions to 3312.49
- Upgrade 3363.x versions to 3363.45
- Upgrade 3421.x versions to 3421.35
- Upgrade 3445.x versions to 3445.21
- Upgrade 3468.x versions to 3468.16
- All other stemcells should be upgraded to the latest version available on bosh.io.
