Fujitsu Technical Support pages from Fujitsu EMEA
Product Support
DOWNLOAD BASKET

Product Security

Contact Details
Security Advisories
Security Notices
Policy Statement
Fujitsu PSIRT — Security Advisories (2018)

2018.3 INTEL QUARTERLY SECURITY RELEASE (QSR)
Intel 2018.3 QSR covering Intel® SGX and Intel® Processor Microcode (MCU) updates (Intel® Speculative Execution Side Channel Update / L1 Terminal Fault (L1TF))

Fujitsu Communication

Original release:   August 22, 2018
Last Update:June 9, 2021
Fujitsu PSIRT ID:PMD-IS-2018-082200


Advisory Description

Speculative execution side-channel method called L1 Terminal Fault (L1TF): (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646, INTEL-SA-00161)
This method impacts select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX). Further investigation by Intel has identified two related applications of L1TF with the potential to impact additional microprocessors, operating systems, system management mode, and virtualization software. If used for malicious purposes, this class of vulnerability has the potential to improperly infer data values from multiple types of computing devices.

CVE Reference (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646):
CVE NumberCVSS
CVE-2018-36157.3 High CVSS:3.0
CVE-2018-36206.5 High CVSS:3.0
CVE-2018-36466.5 High CVSS:3.0

CERT Vulnerability Notes Database Reference: (VU#982149)

Recommendations:
Our supplier Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop platform firmware and software updates that can help protect systems from these methods.

This includes the release of updated Intel microprocessor microcode to our customers and partners. This microcode was previously released as part of INTEL-SA-00115.

Please refer to our already published web page:

Intel Q2 Security Update on Side-Channel Analysis Method Vulnerability

Affected Fujitsu products:
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

An overview of the affected Client Computing Devices and PRIMERGY/PRIMEQUEST products can be found here:

List of affected systems

This page will be updated regularly as soon as new information is available.

In addition, Fujitsu highly recommends system owners ensure that systems are physically secured where possible, and follow good security practices to ensure that only authorized personnel have hands-on access to devices.

Technical Details:
Technical details of the exploits are documented online:
Selected links for operating system patches:
Red Hat:
https://access.redhat.com/security/vulnerabilities/L1TF
https://access.redhat.com/security/cve/cve-2018-3615
https://access.redhat.com/security/cve/cve-2018-3620
https://access.redhat.com/security/cve/cve-2018-3646

VMware:
https://kb.vmware.com/s/article/55636
https://www.vmware.com/security/advisories/VMSA-2018-0020.html
https://www.vmware.com/security/advisories/VMSA-2018-0021.html

SUSE:
https://www.suse.com/support/kb/doc/?id=7023077
https://www.suse.com/support/kb/doc/?id=7023078
https://www.suse.com/c/suse-addresses-the-l1-terminal-fault-issue/
https://www.suse.com/security/cve/CVE-2018-3615/
https://www.suse.com/security/cve/CVE-2018-3620/
https://www.suse.com/security/cve/CVE-2018-3646/

Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018
https://support.microsoft.com/en-us/help/4457951/windows-server-guidance-to-protect-against-l1-terminal-fault

Citrix:
https://support.citrix.com/article/CTX236548


Further Information

Contact Details
Should you require any further security-related assistance, please contact: Fujitsu-PSIRT@ts.fujitsu.com.
Legal Statement
Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.

Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.

Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.

Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.