Fujitsu

Polska

  1. Strona główna
  2. Wsparcie

Side-Channel Analysis Method (Spectre & Meltdown) Security Review

Side-Channel Analysis Method
(Spectre & Meltdown) Security Review

Fujitsu Communication

Original release:   10.01.2018
Latest Update:02.03.2018
Reference: Security vulnerabilities (CVE 2017- 5715, CVE 2017- 5753, CVE 2017- 5754, SA-00088)
Malicious code utilizing a new method of side-channel analysis and running locally on a normally operating platform has the potential to allow the inference of data values from memory. This issue takes advantage of techniques commonly used in many modern processor architectures and concerns the microprocessors of third party manufacturers Fujitsu has integrated into its products.
Potential impact:
According to the information provided by the third-party manufacturers of the microprocessors the potential impact is:

Elevation of Privilege / Information Disclosure

The exploits do not have the potential to corrupt, modify or delete data.
Affected Fujitsu products:
A number of Fujitsu products incorporating microprocessors manufactured by certain third-party suppliers are affected by these vulnerabilities. Fujitsu has asked its suppliers to provide patches as soon as possible for all affected products that are currently supported (as included in the list of affected systems provided under the link below). Older systems that are no longer supported will not be patched.
Client Computing Devices and PRIMERGY/PRIMEQUEST
An overview of the affected Client Computing Devices and PRIMERGY/PRIMEQUEST products can be found here:
List of affected systems
Fujitsu BS2000 Products
BS2000 Mainframes using /390 processors are not affected by this security issue.

Some of the BS2000 Mainframes use Intel processors. However, they are not affected, as they run only system software provided by Fujitsu. The system software transforms user-created BS2000 applications into x86 programs. As a result, users cannot run their own x86 code to exploit the flaws. BS2000 systems therefore do not need the additional security patches.

For some optional BS2000 server components, such as Application Units, customers use operating systems or hypervisors other than BS2000 or VM2000. These customers should promptly review the respective manufacturer’s recommendations regarding deploying patches.

Fujitsu continues to monitor potential security issues for BS2000 products.
Fujitsu Storage Products
ETERNUS CS (CS200c, CS800, CS8000) appliances also use Intel processors. However, they are not affected by this security issue because they are self-contained data protection appliances. Only ETERNUS CS specific software is used; other software is not executed. The appliances’ safety settings ensure that only accesses required for operation are permitted.

ETERNUS DX and AF series products are not affected by this vulnerability because no external program can be executed on them.

None of the ETERNUS LT (20, 40, 60, 260) libraries are affected by the Spectre & Meltdown processor bugs.

Processors used in ETERNUS LT products are ARM Core based, but none are affected.
The processors used in Brocade SAN switch products are affected. However Brocade SAN products will only load and run officially signed Fabric OS firmware. Since only an officially signed and validated Fabric OS code image is allowed to run on a Brocade SAN hardware, the SAN switch products are not exploitable with respect to this specific set of vulnerabilities.

The ETERNUS CD10000 appliance also use Intel processors. However, they are not affected by this security issue since they are self-contained data protection appliances. Only ETERNUS CD10000 specific software is used; other software is not executed. The appliances’ safety settings ensure that only accesses required for operation are permitted.
Fujitsu SPARC Servers
Please see http://www.fujitsu.com/global/support/products/software/security/products-f/jvn-93823979e.html and/or https://support.oracle.com/.
CVE Reference:
Side-Channel Analysis Method
CVE NumberName
CVE 2017- 5715Spectre, (branch target injection), mitigated by microcode update
CVE 2017- 5753Spectre, (bounds check bypass), mitigated by OS level fix
CVE 2017- 5754Meltdown, (rogue data cache load), mitigated by OS level fix
Technical Details:
Technical details of the exploits are documented online:
Mitigation:
Fujitsu strongly advises all customers to monitor and review the information and recommendations provided by the relevant third party suppliers of microprocessors, operating systems and hypervisors regarding the updates they provide for the affected products. If the deployment of the mitigation solutions provided by the third party suppliers requires a BIOS update provided by such suppliers, Fujitsu will provide such updated version of the BIOS to its customers. According to the information provided by Fujitsu’s suppliers, under some circumstances, enabling these updates by the customer may affect performance . The actual performance impact will depend on multiple factors, such as the specific CPU generation in your physical host and the system load (used application(s)).

The security of our products and our customers’ data is the number one priority for Fujitsu. We are continuing to work with our suppliers in the industry to support their efforts to minimize any potential performance impact resulting from the solutions our suppliers provide.

Fujitsu highly recommends customers to ensure that systems are physically secured where possible, and follow state of the art security practices to ensure that only authorized personnel have access to devices.
Regarding the potential performance impact of mitigations:
The following suppliers have issued information on their websites to support the understanding of the potential performance impact of Spectre and Meltdown mitigations:
Intel
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
Microsoft
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
Red Hat
https://access.redhat.com/articles/3307751
Update via BIOS:
Step 1:  Determine whether you have an affected system.
Refer to the list of affected Fujitsu systems. This list is updated regularly.
Before proceeding, please check the expected availability of the relevant BIOS update package.
Step 2:Download and install the BIOS update package.
To install and download the BIOS update package, please go to the Fujitsu support page and follow these steps:
  • Select “Browse for Product”
  • Select “product line”
  • Select “product group” and “product family”
  • Download and install the latest BIOS update package
Should you require any further information, please contact: G02D-psirt@ts.fujitsu.com.
Selected links for operating system patches:
Microsoft Windows
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002
https://blogs.windows.com/windowsexperience/2018/03/01/update-on-spectre-and-meltdown-security-updates-for-windows-devices/#2AKOTwKKuK0WHLpl.97
https://support.microsoft.com/de-de/help/4090007/intel-microcode-updates
Microsoft Server
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Red Hat
Red Hat has released several advisories/updates for Red Hat products.
Please find further information on the Red Hat security page:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
Citrix XenServer
Citrix has released a security bulletin for XenServer.
Please find further information on the Citrix security page:
https://support.citrix.com/article/CTX231390
Information for further Citrix products can be found here:
https://support.citrix.com/article/CTX231399
VMware
VMware has released a security advisory for ESXi and other products.
Please find further information on the VMware security page:
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
SUSE
https://www.suse.com/security/cve/CVE-2017-5753/
https://www.suse.com/security/cve/CVE-2017-5715/
https://www.suse.com/security/cve/CVE-2017-5754/
myelux
http://www.unicon-software.com/en/home-en/protect-measures/
ORACLE Linux
https://linux.oracle.com/cve/CVE-2017-5715.html
https://linux.oracle.com/cve/CVE-2017-5753.html
https://linux.oracle.com/cve/CVE-2017-5754.html
Should you require any further information, please contact: G02D-psirt@ts.fujitsu.com.
Note:
Fujitsu does not manufacture the affected microprocessors that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors. Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.
Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.
Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.