
New Intel Spectre variation to be announced - jacquesm
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
======
jacquesm
I just received a warning from a hosting provider that there are two new Intel
Spectre announcements in the works.

[https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-3640](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-3640) is the other one.

Rest of the announcement:

" Leaseweb is aware of the announcement made today by Intel regarding the two
security issues in Intel products designated Spectre-NG (comparable to the
Spectre vulnerabilities made public earlier this year). We are closely
tracking the situation as it develops, and working together with our vendors
to evaluate our infrastructure and customer-related environments.

WHAT IS AFFECTED? This issue affects most CPU models. Both vulnerabilities are
so-called “side channel” attacks, which allow an attacker to access memory
without permission and can lead to unauthorized access to data on the system.
The vulnerabilities are particularly relevant for multi user and
virtualization/Cloud systems.

These are local exploits which means that remote attackers are unable to take
advantage of this problem, and an attacker needs access to the system itself.
There are no known / public exploits to this problem yet, but Intel was able
to replicate the issue, which means the attack has been confirmed, but no
exploits are as of yet available in the wild.

WHAT ARE THE NEXT STEPS? Intel is working with their vendors on making a fix
for this problem, which will include a solution on the operating system level
as well as a microcode patch. The first patches are likely to be available in
the last week of May.

Operating system level fixes will be available quickly, notably from
Microsoft, Canonical, Red Hat and VMware. We expect Debian, CentOS, and other
vendors to follow quickly after that.

Leaseweb will start patching and updating systems as soon as fixes are
available, and we will notify customers if there is any impact to their
service. If you are a dedicated server customer, please ensure to keep your
operating systems updated in the following weeks, and keep an extra eye on
critical or security updates from your OS vendor."

