Red Hat has been released updates which roll back previous patches that fix the Specter vulnerability (Variant 2, also known as CVE-2017-5715), when the company's customers reported that some systems were failing to boot.
“Red Hat no longer provides microcode για να αντιμετωπίσει το Specter, στην παραλλαγή 2, εξαιτίας των αστάθμητων factors that have been created and are causing difficulties in booting our customers' systems", the company said.
So instead of updates, Red Hat recommends that each of its customers contact the provider hardware OEM to fix CVE-2017-5715 vulnerability on a per-system basis.
In addition to Red Hat Enterprise Linux distribution, other RHEL-based distributions, such as CentOS and Scientific Linux, will be affected by Red Hat's decision to reinstate previous updates for Specter Variant 2. So anyone using RHEL and distribution forks should also contact the CPU / OEM vendors.
Remember that CVE-2017-5715 is the identification number for one of the three errors known as Meltdown (CVE-2017-5754) and Specter (Variant 1 - CVE-2017-5753, but also Variant 2 - CVE-2017- 5715).
Most experts reported that only Meltdown and 1 Specter Variant could theoretically be addressed through an updated version of the OS, but Specter Variant 2 requires parallel updates to the firmware / BIOS / microcode to be fully repaired.
As we have said to you previous publication, Werner Haas, a spokesman for Cyberus Technology and a member of one of the three independent teams that discovered and reported Meltdown, said that achieving a comprehensive protections against Specter is not simple and will likely involve an "ongoing process" with software fixes and hardware modifications.
"The Specter scenario is not that simple, as cross-application attacks are unlikely without even OS participation," said Haas.
"Therefore, a general solution like Meltdown seems unlikely. Therefore, I expect combined repairs to hardware / software defects along with the warning that the fight against Spectre will be an ongoing process. "
The Specter repair process is complex and difficult for all hardware and software vendors. So the withdrawal of updates from Red Hat and the company's patching proposal from CPU makers and OEMs is no surprise.
Microsoft had to stop developing Specter updates on AMD computers after they encountered similar problems that prevented PCs from booting. The company released these updates much later after working with AMD to troubleshoot.
Intel faces the same problems in older Broadwell and Haswell processors.
Let us mention that immediately after the announcement of the vulnerabilities CERT announced that the only way to repair Meltdown and Spectre was to replace the CPU.
"The underlying vulnerability is mainly driven by CPU architecture design choices," CERT researchers wrote. "The complete removal of the vulnerability requires the replacement of the vulnerable CPU."
A little later, and without knowing who was playing under the table, CERT recalled, and an Intel representative Agnes Kwan said: "CERT updated the vulnerability note to correct some inaccuracies."
Of course, we would not expect Intel to declare anything different, since the CERT report's assumption would cause strong turbulence in the company, with the corresponding cost.