Red Hat responds to Speculative Store Bypass and helps explain Variant 4 chip vulnerability

As news of yet another chip vulnerability creeps out, computer users, businesses and organizations around the world are trying to assess how the latest bug affects them. To help its users and others to understand what the Speculative Store Bypass/Variant 4 vulnerability means, Red Hat has issued advisories and an explanatory video.

The company also reveals exactly which of its Linux builds are affected by the security flaw and what steps can be taken as mitigation. In addition to this, Red Hat has put together a number of resources that help to "provide more context around this vulnerability from an open source technology perspective".

See also:

• Spectre and Meltdown variant 4: Microsoft, Google and Intel reveal new Speculative Store Bypass chip vulnerability
• Google will require OEMs to provide regular Android security updates
• Google's Project Zero reveals security flaw in Windows 10 S after Microsoft fails to fix it
• Is your smartphone lying to you about having the latest Android security updates?

Red Hat says that with the previous vulnerabilities, it worked with microprocessor vendors to create and release software workarounds engineered to prevent the conditions required to perform the attacks. It says that this is a role it has reprized with the Speculative Store Bypass vulnerability, working with the rest of the industry under embargo to help mitigate the problem.

The vice president of the operating system platform at Red Hat, Denise Dumas, issued a statement about the revelations, saying: "these vulnerabilities could allow a malicious actor to steal sensitive information from almost any computer, mobile device, or cloud deployment. Importantly, several technology industry leaders, including Red Hat, have worked together to create patches that correct this issue, underscoring the value of industry collaboration. It is key that everyone -- from consumers to enterprise IT organizations -- apply the security updates they receive. Because these security updates may affect system performance, Red Hat has included the ability to disable them selectively in order to better understand the impact on sensitive workloads."

Chris Robinson, manager of product security assurance at Red Hat, says:

This vulnerability (CVE-2018-3639) is the latest example of flaws discovered by a recent focus on the fundamental elements of modern computing, vulnerabilities that cross numerous hardware and software platforms. While the flaws require a sophisticated attacker to exploit, customers should act quickly to apply both hardware and software updates to reduce the risk of exploitation.

This issue impacts many CPU architectures along with many of the operating systems that enable this hardware. Working with other industry leaders, Red Hat has developed kernel security updates for our products to address these vulnerabilities and we are working to make these updates available to our customers and partners. Beyond code remediations, we are also providing information that our customers need to more quickly secure their physical systems, virtual images, and Linux container-based deployments.

To get you up to speed quickly, Red Hat has produced a 3-minute video that explains the latest security vulnerability.

Red Hat says that it will be releasing updates for the kernel, virtualization, and openjdk to take advantage of the new microcode features, although there's no word on exactly when this will happen.

Over on the Red Hat blog, there is an excellent description of the vulnerability, and there is also talk of the difficulty of mitigating against it:

Mitigating Speculative Store Buffer Bypass attacks is a complex topic. We could simply globally disable every speculative performance feature. But that would rapidly remove many decades worth of performance gains across the industry. And doing so wouldn’t necessarily make us any safer in the process because in most cases store buffer speculation is safe. This is because applications that rely upon process-level separations aren’t impacted by this vulnerability. Thus, a “big hammer” approach of disabling store buffer speculation would unfairly penalize all applications to protect just a few that could be exploited through a carefully crafted attack.

Rather than globally disable all performance features, the industry has come together to provide a range of options, including new APIs for use by sandbox code. In addition, a "big hammer" Speculative Store Buffer Bypass global disable option is available to those who want to use it. System Administrators wanting to globally disable Speculative Store Buffer Bypassing can do so quickly and easily through the new "speculative_store_bypass_disable" kernel parameter.

Work is on-going to help secure third-party applications, and this is a process that will continue for quite some time to come.