Red Hat released updates that reinstate previous Spectre Vulnerability patches (Variant 2, also known as CVE-2017-5715) when the company's customers reported that some systems failed to boot.
“Red Hat no longer provides microcode to address Spectre, in parchange 2, due to the unstable factors that have been created and are causing difficulties in booting our customers' systems,” the company said.
Instead of updating, Red Hat recommends that each customer contact the OEM hardware provider to repair the CVE-2017-5715 vulnerability by system.
In addition to Red Hat Enterprise Linux distribution, other RHEL-based distributions, such as CentOS and Scientific Linux, will be affected by Red Hat's decision to reinstate previous updates for Specter Variant 2. So anyone using RHEL and distribution forks should also contact the CPU / OEM vendors.
Remember that CVE-2017-5715 is the identification number for one of the three errors known as Meltdown (CVE-2017-5754) and Specter (Variant 1 - CVE-2017-5753, but also Variant 2 - CVE-2017- 5715).
Most experts said that only Meltdown and Specter Variant 1 could theoretically be addressed through an OS update, but Specter Variant 2 requires parallel updates to firmware/BIOS/microcode to fully repair it.
As we have said to you previous publication, Werner Haas, a Cyberus Technology spokesman and member of one of the three independent groups that discovered and reported Meltdown, said that achieving total protection against Specter is not simple and probably involves an "ongoing process" with corrections to software and hardware modifications.
"The Specter scenario is not that simple, as cross-application attacks are unlikely without even OS participation," said Haas.
"So a general solution like Meltdown seems unlikely. Therefore, I expect combined hardware / software bug fixes along with warning that the fight against Specter will be an ongoing process. "
Specter repair process is complicated and difficult for all of them suppliers hardware and software. So Red Hat's withdrawal of updates and the company's suggestion of patching by CPU manufacturers and OEMs is no surprise.
Microsoft had to stop developing Specter updates on AMD computers after they encountered similar problems that prevented PCs from booting. The company released these updates much later after working with AMD to troubleshoot.
Intel faces the same problems in older Broadwell and Haswell processors.
Let us mention that immediately after the announcement of the vulnerabilities CERT announced that the only way to repair Meltdown and Spectre was to replace the CPU.
"The underlying vulnerability is mainly driven by CPU architecture design choices," CERT researchers wrote. "The complete removal of the vulnerability requires the replacement of the vulnerable CPU."
A little later, and without knowing who was playing under the table, CERT recalled, and an Intel representative Agnes Kwan said: "CERT updated the vulnerability note to correct some inaccuracies."
Of course, we would not expect Intel to declare anything different, since the CERT report's assumption would cause strong turbulence in the company, with the corresponding cost.
