CPU Issues

Contents

1. Jan2017 Issues

1.1 Meltdown, Spectre and speculative execution issues

1.1.1 The Issue

The basic issue is that speculative execution affects the cpu state even for intstructions we do not have permission to execute which allows indirect inference of values in kernel memory i.e. reading kernel memory

The list of issues is:

Codename CVE Type
Spectre CVE-2017-5753 bounds check bypass
Spectre CVE-2017-5715 branch target injection
Meltdown CVE-2017-5754 rogue data cache load

Explainations are at:

Owner Reference
Google Project Zero Project Zero
Klaus Aschenbrenner Understanding the Meltdown exploit – in my own simple words

Proof of concept Windows Exploit code is at code for the cache-attack

As per Meltdown, Spectre bug patch slowdown gets real – and what you can do about itvarious groups have reported slowdowns between 1 and 45 percent

1.1.2 Cloud Platforms

1.1.2.1 Azure VMs

Azure VMS in Western Europe were down following patching Azure VMs borked following Meltdown patch, er, meltdown

Advice from Microsoft for Azure VMS is at Securing Azure customers from CPU vulnerability

There is also a KB article at Microsoft cloud protections against speculative execution side-channel vulnerabilities

1.1.2.2 AWS

As per Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

"Amazon has updated its AWS Linux guest kernels to protect customers against Meltdown."Processor Speculative Execution Research Disclosure

Amazon VMS reported slowdowns after patching Amazon: Intel Meltdown patch will slow down your AWS EC2 server

1.1.2.3 Google Cloud

Google has advice at What Google Cloud, G Suite and Chrome customers need to know about the industry-wide CPU vulnerability

1.1.3 Hypervisor fixes

1.1.3.1 VMWare

VMWare has a security announcement at [Security-announce] NEW VMSA VMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution

There is also an entry on the VMware Security & Compliance Blog at VMSA-2018-0002

There are also updates for ESXi, Workstation and Fusion at VMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

UPDATE Jan 10: Even though this lists VMware Workstation 14.x as unaffected VMware Workstation 14.1.1 Pro Release Notes mentions "This update of VMware Workstation Pro exposes hardware support for branch target injection mitigation to VMware guests. This hardware is used by some guest operating systems to mitigate CVE-2018-5715 (also called by the name "Spectre")."

"For Guest Operating Systems to be able to use hardware support for branch target injection mitigation, the following steps must be taken:

"

UPDATE Jan 11: Even though this lists VMware Fusion 10.x as unaffected VMware Fusion 10.1.1 Release Notes mentions "This update of VMware Fusion exposes hardware support for branch target injection mitigation to VMware guests. This hardware is used by some guest operating systems to mitigate CVE-2018-5715 (also called by the name "Spectre").."

"For Guest Operating Systems to be able to use hardware support for branch target injection mitigation, the following steps must be taken:

UPDATE Jan 12: VMWare has a new security announcement at VMSA-2018-0004 VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue

Also there is a knowledge base article at VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245)

VMware is providing several versions of the required microcode from INTEL and AMD through ESXi patches listed in the table. See Hypervisor-Assisted Guest Mitigation for branch target injection (52085) for more details.

The new versions of vCenter Server set restrictions on ESXi hosts joining an Enhanced vMotion Cluster See Hypervisor-Assisted Guest Mitigation for branch target injection (52085) for more details.

From VMware Knowledge Base article 52085:

To enable hardware support for branch target mitigation in vSphere, apply these steps, in the order shown:

To enable hardware support for branch target mitigation in Workstation/Fusion, the following steps should be followed:

  • Apply the Microcode/BIOS updates for CVE-2017-5715 from your platform vendor
  • For each virtual machine, enable Hypervisor-Assisted Guest mitigation via the following steps:

    1.1.3.2 Xen

    Xen have an advisory at Advisory XSA-254

    1.1.4 Operating System fixes

    1.1.4.1 Microsoft Windows

    The Microsoft Security Advisory covering Windows,SQL Server,Internet Explorer and Microsoft Edge is at: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities Security Advisory

    UPDATE Jan 10: As per Endpoint Protection system tray icon reports multiple errors after applying Windows security updates from 1/3/2018 Symantec "recommends that the Microsoft Windows Security Updates released on January 3rd, 2018 updates not be applied to systems until a hotfix is available for the affected versions.".

    "After applying Microsoft Windows security updates released on January 3rd, 2018, the Symantec Endpoint Protection (SEP) system tray icon reports there are multiple problems. No errors are reported if the SEP client UI is opened."

    "At this time, this issue has no functional impact on the protection technology of the SEP client."

    As per Twitter from Adam Licata Principal Product Manager for Endpoint Security at Symantec "The UI fix is undergoing QA testing this week and will be released soon"

    UPDATE: 10 Jan - Kevin Beaumont has a spreadsheet with a list of anti-virus products and patch compatability at Twitter

    Microsoft has issued patches for:

    Operating System Reference
    Windows 10 January 3, 2018—KB4056892 (OS Build 16299.192)UPDATE Jan 10th, pulled for some AMD devices, see below
    Windows Server 2008,2008R2,2012,2012 R2,2016,1709 Server Core https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    The Windows 10 fix is currently pulled for some AMD devices

    UPDATE Jan 9th, this can brick AMD Althon 64 Pc's It gets worse: Microsoft’s Spectre-fixer bricks some AMD PCs

    UPDATE Jan 10th Windows operating system security update block for some AMD based devices "Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible."

    If the machine is in an unbootable state see the following resources to help:

    Operating System Reference
    Windows 10 Troubleshoot blue screen errors
    Windows 8.1 Resolving Blue Screen errors in Windows
    Windows 7 Resolving stop (blue screen) errors in Windows 7

    Certain registry keys need to be set to activate the fixes

    These are in links from the table above however for reference they are

    On Windows 10 there have been blue screens due to certain anti-virus software, once confirmed the anti-virus sofrware is fixed the following registry key is needed

    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0
    

    On Windows server due to performance issues, to activate the fixes 3 registry keys need to be set

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
    

    Then if this is a Hyper-V host: fully shutdown all Virtual Machines.

    Restart the server for changes to take effect.

    To then disable the fix only 2 registry changes are needed:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
    

    Restart the server for changes to take effect.

    For Hyper-V hosts, live migration between patched and unpatched hosts may fail: see Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

    Also as per More stuff broken amid Microsoft's efforts to fix Meltdown/Spectre vulns "Unless the antivirus compatibility registry key is set, Windows Update will not delivery January's or any future security updates."

    The registry key and antivirus vendors

    As per CPU bug patch saga: Antivirus tools caught with their hands in the Windows cookie jar

    Checking the fix has been applied

    The simplest test for the fix having been applied is

    NOTE: "In addition to installing the January security update, a processor microcode update is required. This should be available through your OEM."

    NOTE Also that as per More stuff broken amid Microsoft's efforts to fix Meltdown/Spectre vulns these updates break both the PulseSecure VPN client and Sandboxie, the sandbox-based isolation program developed by Sophos.

    PulseSecure has a workaround for Windows 10 and Windows 8.1 but not Windows 7 at KB43600 - After installing January 3, 2018 Microsoft Patches, Pulse client connections fail when Host Checker is applied

    Sandboxie has an updated BETA client available at 5.23 Beta Available (latest version 5.23.3)

    As per Intel, Microsoft confess: Meltdown, Spectre may slow your servers Microsoft have confirmed slowdown after applying the patches"

    Terry Myerson, president of Microsoft's Windows and device group confirmed in Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems that some slowdown is expected:

    Operating System Processor Impact
    Windows 10 Newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU) Benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
    Windows 10 Older silicon (2015-era PCs with Haswell or older CPU) Some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
    Windows 8 and Windows 7 older silicon (2015-era PCs with Haswell or older CPU) we expect most users to notice a decrease in system performance.
    Windows Server any silicon (processor) Any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.

    "For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation."

    "Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel."

    1.1.4.2 Linux kernel patches

    As per Meltdown and Spectre Linux Kernel Status

    Meltdown - x86 "If you rely on any other kernel tree other than 4.4, 4.9, or 4.14 right now, and you do not have a distribution supporting you, you are out of luck."

    Meltdown - ARM "Right now the ARM64 set of patches for the Meltdown issue are not merged into Linus’s tree. They are staged and ready to be merged into 4.16-rc1 once 4.15 is released in a few weeks."

    Due to them not being in a released kernel, if you rely on ARM64 for your systems (i.e. Android), I point you at the Android Common Kernel tree All of the ARM64 fixes have been merged into the 3.18, 4.4, and 4.9 branches as of this point in time."

    "For the 4.4 and 4.9 LTS kernels, odds are these patches will never get merged into them, due to the large number of prerequisite patches required. All of those prerequisite patches have been long merged and tested in the android-common kernels, so I think it is a better idea to just rely on those kernel branches instead of the LTS release for ARM systems at this point in time."

    Spectre "For upstream, well, the status is there is no fixes merged into any upstream tree for these types of issues yet."

    1.1.4.3 Redhat Linux

    Redhat has patches under "Resolve" at Kernel Side-Channel Attacks - CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

    Discussion regarding the performance impact of patches is at Speculative Execution Exploit Performance Impacts - Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715

    1.1.4.4 SuSE Linux

    SuSE Linux patches are at Security Vulnerability: "Meltdown" and "Spectre" side channel attacks against modern CPUs.

    The SuSE Linux response to the issues is at SUSE Addresses Meltdown and Spectre Vulnerabilities

    1.1.4.5 openSUSE Linux

    OpenSUSE status is at Current Status: openSUSE and “Spectre” & “Meltdown” vulnerabilities

    1.1.4.6 Ubuntu Linux

    Ubuntu has a response to the issues at Information Leak via speculative execution side channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 aka Spectre and Meltdown)

    Patches will appear under Ubuntu security notices

    Currently we only see USN-3516-1: Firefox vulnerabilities

    1.1.4.7 Apple

    Apple have security update information at About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

    1.1.4.8 Chrome OS

    As per How to protect your PC from the major Meltdown and Spectre CPU flaws "Chromebooks should have already updated to Chrome OS 63 in December. It contains mitigations against the CPU flaws."

    As per How to fix Meltdown and Spectre security flaws on Chromebooks

    Check Chrome OS devices and kernel versions and "check that it says ‘yes’ in the last column".

    1.1.4.9 AIX and IBM i operating system

    UPDATE 10th Jan: Potential Impact on Processors in the POWER family

    has been updated - "AIX and IBM i operating system patches will be available February 12. Information will be available via PSIRT."

    Also "The firmware patch provides partial remediation to these vulnerabilities and is a pre-requisite for the OS patch to be effective"

    1.1.4.10 1.1.4.10 Google Android including Pixel and Nexus devices

    As per Android Security Bulletin—January 2018 "Security patch levels of 2018-01-05 or later address all of these issues"

    There is a seperate bulletin for Pixel/Nexus devices at Pixel?/?Nexus Security Bulletins

    1.1.4.11 1.1.4.11 Oracle Linux

    As per Intel’s Meltdown fix freaked out some Broadwells, Haswells

    "Oracle has patched its Linux, but has told us it has “No comment/statement on this as of now” in response to our query about its x86 systems, x86 cloud, Linux and Solaris on x86. The no comment regarding Linux is odd as fixes for Oracle Linux landed...on January 9th.

    The Oracle Linux patches are at ELSA-2018-4006 - Unbreakable Enterprise kernel security update

    1.1.5 Userland fixes

    1.1.5.1 Microsoft SQL Server

    As per Guide to protect SQL Server against speculative execution side-channel vulnerabilities

    This mentions untrusted SQL Server extensibility mechanisms

    The fixes available are:

    Version Reference
    SQL Server 2017 CU3 Security Update for SQL Server 2017 CU (KB4058562) These security updates are also the regularly scheduled Cumulative Update.
    SQL Server 2017 GDR Security Update for SQL Server 2017 RTM (KB4057122)
    SQL Server 2016 SP1 CU7 Security Update for SQL Server 2016 SP1 CU (KB4058561) (These security updates are also the regularly scheduled Cumulative Update.)
    SQL Server 2016 SP1 GDR Security Update for SQL Server 2016 SP1 (KB4057118)

    NOTE: These are only for Windows! "The Microsoft Download Center will be updated with the remaining SQL Server versions as they become available in coming days/weeks, including SQL Server for Linux."

    For SQL Server 2017 on Windows, CU3 may already been installed as part of Windows OS patchs: see Cumulative Update 3 for SQL Server 2017

    1.1.5.2 Chrome browser

    As per Actions required to mitigate Speculative Side-Channel Attack techniques"Chrome allows users to enable an optional feature called Site Isolation which mitigates exploitation of these vulnerabilities."

    "Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018."

    "In line with other browsers, Chrome will disable SharedArrayBuffer starting on Jan 5th, and modify the behavior of other APIs such as performance.now, to help reduce the efficacy of speculative side-channel attacks. This is intended as a temporary measure until other mitigations are in place."

    1.1.5.3 Firefox browser

    Firefox has fixes available in all release channels starting with 57 at Mitigations landing for new class of timing attack

    Mozzila has an advisory at Speculative execution side-channel attack ("Spectre")

    "Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. The precision of performance.now() has been reduced from 5µs to 20µs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer."

    "Db2 will be impacted by any performance degradation caused by patches to other system components used by Db2. An assessment of the degree of impact on Db2 performance will be conducted. We will provide further information on this aspect as it becomes available."

    "SharedArrayBuffer is already disabled in Firefox 52 ESR."

    1.1.5.4 Microsoft Edge and Internet Explorer browsers

    Microsoft browsers fixes are included in the Windows 10 and Window server OS patches above

    1.1.5.5 IBM Db2

    As per Twitter from Paul Bird Senior Technical Staff Member IBM Toronto Lab, Lead Architect for DB2 for LUW server in areas of workload management, security, monitoring, and general SQL processing - "From a Db2 perspective, we don't see any Db2 patches needed at this time".

    He recommends applying OS and firmware patches potentially via IBM BigFix as per IBM Insights and Recommendations on the CPU Vulnerability

    UDPATE: Jan 14 Central Processor Unit (CPU) Architectural Design Flaws - additional guidance for Db2 customers

    "At this time, we are not aware of any specific security exposures within Db2 itself on this issue."

    1.1.5.6 Microsoft and antivirus programs

    Microsoft has advice on anti-virus program at Important: Windows security updates released January 3, 2018, and antivirus software

    Also see 1.1.4.1 Microsoft Windows section "The registry key and antivirus vendors"

    1.1.5.7 Symantec

    For Symantec enterprise software and hardware products see Meltdown and Spectre: Are Symantec Products Affected?

    1.1.5.8 Norton

    For Symantec Norton products see Meltdown and Spectre vulnerabilities affect billions of devices

    1.1.6 Firmware/processor microcode fixes

    1.1.6.1 Intel CPUS

    As per Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

    "It affects potentially all out-of-order execution Intel processors since 1995, except Itanium and pre-2013 Atoms."

    "It definitely affects out-of-order x86-64 Intel CPUs since 2011."

    Affected Intel CPUS are listed at Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method

    Also check Intel Security Advisories under Security Advisories

    Intel has an analysis of the issue in a PDF at Intel Analysis of Speculative Execution Side Channels

    UPDATE: Jan 10 Under Downloads for Processors and then Linux* Processor Microcode Data File there is a new Linux* Processor Microcode Data File dated Jan 8!

    On Linux putting this in /etc/firmware and rebooting WOULD apply the file, supported processors include the one for my Intel BOXNUC6i7KYK3 i7-6770HQ NUC Kit - "Intel® Core™ i7-6770HQ Processor (6M Cache, up to 3.50 GHz)"! There is no documentation on that page, will let others try it first!

    UPDATE : Jan 12 Intel has reported stability issues after the patches are applied with high end systems rebooting at Intel Security Issue Update: Addressing Reboot Issues "Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center."

    1.1.6.2 AMD CPUS

    AMD has an advisory at An Update on AMD Processor Security

    There are additional known issues for AMD CPUS via the AMD's Platform Security Processor (PSP) see Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

    1.1.6.3 IBM Power

    Firmware and Linux patches will start to appear Jan 9 see Potential Impact on Processors in the POWER family

    UPDATE 9th Jan: IBM are holding off on releasing patches as per IBM melts down fixing Meltdown as processes and patches stutter

    UPDATE 10th Jan: Potential Impact on Processors in the POWER family

    has been updated - POWER7+ and POWER8 patches are available from Fix Central

    and "POWER9 patches will be available on January 15."

    1.1.6.4 IBM Z

    For IBM Z see The IBM Z Security Portal under Systems integrity

    UPDATE 9th Jan: IBM are holding off on releasing patches as per IBM melts down fixing Meltdown as processes and patches stutter

    1.1.6.5 IBM Storage appliances

    IBM Storage Appliances have been confirmed as not affected see Potential CPU Security Issue "IBM Storage appliances are not impacted by this vulnerability."

    1.1.6.6 Qualcomm CPU

    Qualcomm is also confirmed as affected see Qualcomm joins Intel, Apple, Arm, AMD in confirming its CPUs suffer hack bugs, too

    1.1.6.7 1.1.6.7 ARM CPUS<

    ARM has an advisory at Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism

    This advisory mentions "Only affected cores are listed, all other Arm cores are NOT affected."

    1.1.6.7 1.1.6.8 Fujitsu Sparc

    See the entry for Fujitsu

    1.1.7 Misc Vendor fixes

    1.1.7.1 Cisco

    As per CPU Side-Channel Information Disclosure Vulnerabilities"Cisco will release software updates that address these vulnerabilities"

    1.1.7.2 Dell

    Dell has 2 Knowledge Base articles, one for Servers,Storage and Networking Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)

    One for client hardware Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products

    1.1.7.3 Fujitsu

    As per CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)"Regarding this vulnerability, we are confirming the impact of our products and how to address it. Release of the first edition is scheduled for January 10, 2018."

    Fujitsu SPARC has published a PDF advice at Side-Channel Analysis Method (Spectre & Meltdown) Security Review List of affected Fujitsu Products

    1.1.7.4 Hewlett Packard Enterprise Product (HPE)

    As per Side Channel Analysis Method allows information disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

    This lists affected devices and mentions this "may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE"

    1.1.7.5 Huawei

    Affected devices are listed on Security Notice Security Notice - Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design and Huawei PSIRT will keep updating the SN

    There is a Security Advisory at Security Advisory - CPU Vulnerabilities 'Meltdown' and 'Spectre'

    1.1.7.6 Lenovo

    As per Reading Privileged Memory with a Side Channel Lenovo "will update this page frequently as fixes are released and new information emerges. Please check back often."

    Also "We recommend updating OS and firmware as soon as updates are available."

    1.1.7.7 Citrix

    As per Citrix XenServer Multiple Security Updates "The CPU speculative execution mitigations require system firmware/BIOS upgrades to be applied before becoming fully effective."

    For Variant 1 (CVE-2017-5753 'bounds check bypass'), Citrix is not currently aware of any exploit vectors in Citrix XenServer.

    Citrix has released hotfixes that contain mitigations for Variant 2 (CVE-2017-5715 'branch target injection') where an attacker running code in a guest VM may be able to read in-memory data from other VMs on the same host. This is independent of the CPU vendor:

    Version Reference Link
    Citrix XenServer 7.3 CTX230790 Hotfix XS73E001 - For XenServer 7.3
    Citrix XenServer 7.2 CTX230789 Hotfix XS72E013 - For XenServer 7.2
    Citrix XenServer 7.1 LTSR CU1 CTX230788 Hotfix XS71ECU1009 - For XenServer 7.1 Cumulative Update 1
    Citrix XenServer 7.0 N/A Citrix is actively working on a hotfix for this version. The above document will be updated when a hotfix is available.

    Note that these updates are not Livepatchable. Citrix is aware of a potential remaining issue for Variant 2 when using 32-bit PV guests and is actively working on an update for this issue but strongly recommends that customers that have deployed untrusted 32-bit PV guests consider transitioning to HVM-based guests.

    Customers using End of Maintenance versions of Citrix XenServer, i.e. Citrix XenServer version 6.0.2 Common Criteria, 6.2 SP1 and 6.5 SP1 are strongly recommended to upgrade to a more recent version.

    Citrix is actively working on additional mitigations for Variant 3 (CVE-2017-5754 ' rogue data cache load') where an attacker running code in a 64 bit PV guest VM running on an Intel CPU may be able to read in-memory data from other VMs on the same host, but strongly recommends that customers that have deployed untrusted 64-bit PV guests on Intel CPUs consider transitioning to HVM-based guests.

    1.1.7.8 Nutanix

    Nutanix has a PDF advisory for their products at Side-Channel Speculative Execution Vulnerabilities January 2018

    "Please check the Nutanix Support Portal for the latest update.

    1.1.7.9 NVIDIA

    NVIDIA have a security update at Security Bulletin: NVIDIA Driver Security Updates for CPU Speculative Side Channel Vulnerabilities

    1.1.8 References

    The following were also used to collect the information provided in this document:

    Source Reference
    Sqlskills Glen Berry Microsoft SQL Server Updates for Meltdown and Spectre Exploits
    SQLHA Alan Hirt The No Good, Terrible Processor Flaw and SQL Server Deployments – Nearly Everything You Need To Know
    Lenovo - many references under "Advisories and Patch Guidance:" Reading Privileged Memory with a Side Channel