Red Hat has released updates that roll back its previous fix patches vulnerabilitys Specter (Variant 2, also known as CVE-2017-5715), when the company's customers reported that some systems were failing to boot.
"Red Hat no longer provides microcodes to deal with Specter, in variant 2, because of the unbalanced factors that have created and are causing our clients' systems to start up." the company said.
Instead of updating, Red Hat recommends that each customer contact the OEM hardware provider to repair the CVE-2017-5715 vulnerability by system.
In addition to the Red Hat distribution Enterprise Linux, και άλλες διανομές με βάση το RHEL, όπως το CentOS και το Scientific Linux, θα επηρεαστούν από την απόφαση της Red Hat να επαναφέρει τις προηγούμενες ενημερώσεις για το Specter Variant 2. Έτσι όλοι όσοι χρησιμοποιούν RHEL και forks της διανομής θα πρέπει επίσης να επικοινωνήσουν με τους πωλητές CPU/OEM.
Remember that CVE-2017-5715 is the identification number for one of the three errors known as Meltdown (CVE-2017-5754) and Specter (Variant 1 - CVE-2017-5753, but also Variant 2 - CVE-2017- 5715).
Οι περισσότεροι εμπειρογνώμονες ανέφεραν ότι μόνο το Meltdown και το Specter Variant 1 θα μπορούσαν θεωρητικά να αντιμετωπιστούν μέσω μιας ενημερωμένης έκδοσης του OS, αλλά το Specter Variant 2 απαιτεί παράλληλες ενημερώσεις στα firmware/BIOS/microcode to fully repair it.
As we have said to you previous publication, Werner Haas, a Cyberus Technology spokesman and member of one of the three independent groups that discovered and reported Meltdown, said that achieving total protection against Specter is not simple and probably involves an "ongoing process" with corrections to software and hardware modifications.
"The [Specter] attack scenario is not so simple, as it is very likely that there will be cross-application "without even the involvement of the OS," said Haas.
"Therefore, a general solution like Meltdown seems unlikely. Therefore, I expect combined repairs to hardware / software defects along with the warning that the fight against Spectre will be an ongoing process. "
The Specter repair process is complex and difficult for all hardware vendors and software. So Red Hat's withdrawal of updates and the company's suggestion of patching by CPU manufacturers and OEMs is no surprise.
Microsoft had to stop developing Specter updates on AMD computers after they encountered similar problems that prevented PCs from booting. The company released these updates much later after working with AMD to troubleshoot.
Intel faces the same problems in older Broadwell and Haswell processors.
Let us mention that immediately after the announcement of the vulnerabilities CERT announced that the only way to repair Meltdown and Spectre was to replace the CPU.
"The underlying vulnerability is mainly driven by CPU architecture design choices," CERT researchers wrote. "The complete removal of the vulnerability requires the replacement of the vulnerable CPU."
A little later, and without knowing who was playing under the table, CERT recalled, and an Intel representative Agnes Kwan said: "CERT updated the vulnerability note to correct some inaccuracies."
Of course, we would not expect Intel to declare anything different, since the CERT report's assumption would cause strong turbulence in the company, with the corresponding cost.
