Fujitsu

United Kingdom

  1. Home
  2. Support

Side-Channel Analysis Method (Spectre & Meltdown) Security Review

Side-Channel Analysis Method
(Spectre & Meltdown) Security Review

Fujitsu Communication

Original release:   10.01.2018
Latest Update:15.01.2018
Reference: Security vulnerabilities (CVE 2017- 5715, CVE 2017- 5753, CVE 2017- 5754, SA-00088)
Malicious code utilizing a new method of side-channel analysis and running locally on a normally operating platform has the potential to allow the inference of data values from memory. This issue takes advantage of techniques commonly used in many modern processor architectures.
Potential impact:
Elevation of Privilege / Information Disclosure
The exploits do not have the potential to corrupt, modify or delete data.
Affected Fujitsu products:
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.
Client Computing Devices and PRIMERGY/PRIMEQUEST
An overview of the affected Client Computing Devices and PRIMERGY/PRIMEQUEST products can be found here:
List of affected systems
Fujitsu BS2000 Products
BS2000 Mainframes using /390 processors are not affected by this security issue.
Some of the BS2000 Mainframes use Intel processors. However, they are neither affected, as they run only system software provided by Fujitsu. The system software transforms user-created BS2000 applications into x86 programs. As a result, users cannot run their own x86 code to exploit the flaws. BS2000 systems are therefore safe and secure even without additional security patches.
For some optional BS2000 server components, such as Application Units, customers use other operating systems or hypervisors than BS2000 or VM2000. These customers should promptly deploy the patches provided by the respective manufacturer.
Fujitsu continues to monitor potential security issues for BS2000 products.
Fujitsu Storage Products
ETERNUS CS (CS200c, CS800, CS8000) appliances also use Intel processors. However, they are not affected by this security issue since they are self-contained data protection appliances. Only ETERNUS CS specific software is used; other software is not executed. The appliances’ safety settings ensure that only accesses required for operation are permitted. ETERNUS DX and AF series products are not affected by this vulnerability because no external program can be executed on them.
None of the ETERNUS LT (20, 40, 60, 260) libraries are affected by the Spectre & Meltdown processor bugs. Processors used in ETERNUS LT products are ARM Core based, but none are affected.
The processors used in Brocade SAN switch products are affected, however Brocade SAN products will only load and run officially signed Fabric OS firmware. Since only an officially signed and validated Fabric OS code image is allowed to run on a Brocade SAN hardware, the SAN switch products are not exploitable with respect to this specific set of vulnerabilities.
The ETERNUS CD10000 appliance also use Intel processors. However, they are not affected by this security issue since they are self-contained data protection appliances. Only ETERNUS CD10000 specific software is used; other software is not executed. The appliances’ safety settings ensure that only accesses required for operation are permitted.
CVE Reference:
Side-Channel Analysis Method
CVE NumberName
CVE 2017- 5715Spectre, (branch target injection), mitigated by microcode update
CVE 2017- 5753Spectre, (bounds check bypass), mitigated by OS level fix
CVE 2017- 5754Meltdown, (rogue data cache load), mitigated by OS level fix
Technical Details:
Technical details of the exploits are documented online:
Mitigation:
Referring to the recommendations made by third-party suppliers, Fujitsu strongly advises all customers to update affected products. Updates are provided through an updated version of the BIOS and the necessary patches for the dedicated operating system. Under some circumstances, enabling these updates may affect performance. The actual performance impact will depend on multiple factors, such as the specific CPU generation in your physical host and the system load (used application).
Fujitsu recommends that customers assess the performance impact for their system environment and make necessary adjustments.

The security of our products and our customers’ data is number one priority for Fujitsu. We are continuing to work with our partners in the industry to minimize any potential performance impact.

Fujitsu highly recommends customers to ensure that systems are physically secured where possible, and follow good security practices to ensure that only authorized personnel have access to devices.
Update via BIOS:
Step 1:  Determine whether you have an affected system.
Refer to the list of affected Fujitsu systems. This list is updated regularly.
Before proceeding, please check the expected availability of the relevant BIOS update package.
Step 2:Download and install the BIOS update package.
To install and download the BIOS update package, please go to the Fujitsu support page and follow these steps:
  • Select “Browse for Product”
  • Select “product line”
  • Select “product group” and “product family”
  • Download and install the latest BIOS update package
Should you require any further information, please contact: G02D-psirt@ts.fujitsu.com.
Selected links for operating system patches:
Microsoft Windows
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002
Microsoft Server
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Red Hat
Red Hat has released several advisories/updates for Red Hat products.
Please find further information on the Red Hat security page:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
Citrix XenServer
Citrix has released a security bulletin for XenServer.
Please find further information on the Citrix security page:
https://support.citrix.com/article/CTX231390
Information for further Citrix products can be found here:
https://support.citrix.com/article/CTX231399
VMware
VMware has released a security advisory for ESXi and other products.
Please find further information on the VMware security page:
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
SUSE
https://www.suse.com/security/cve/CVE-2017-5753/
https://www.suse.com/security/cve/CVE-2017-5715/
https://www.suse.com/security/cve/CVE-2017-5754/
myelux
http://www.unicon-software.com/en/home-en/protect-measures/
ORACLE Linux
https://linux.oracle.com/cve/CVE-2017-5715.html
https://linux.oracle.com/cve/CVE-2017-5753.html
https://linux.oracle.com/cve/CVE-2017-5754.html
Should you require any further information, please contact: G02D-psirt@ts.fujitsu.com.
Note:
All details of this communication have been prepared with care, based on the information available to Fujitsu at the time of publication. Fujitsu recommends that customers determine the applicability of this communication to their individual situations and take appropriate measures. However, Fujitsu does not warrant that this communication is accurate or complete for all customer situations. Fujitsu will not be responsible for any damages or other negative effects resulting from customer's use of this communication. All details of this communication are provided “as is” without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.
Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu assumes no liability with respect to the information and materials provided on such websites.
Designations may be trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.