Red Hat has been released updates which roll back previous patches that fix the vulnerability Spectre (Variant 2, also known as CVE-2017-5715), when the company's customers reported that some systems fail to boot.
"Red Hat no longer provides microcodes to deal with Specter, in variant 2, because of the unbalanced factors that have created and are causing our clients' systems to start up." the company said.
Instead of updating, Red Hat recommends that each customer contact the OEM hardware provider to repair the CVE-2017-5715 vulnerability by system.
In addition to Red Hat Enterprise Linux distribution, other RHEL-based distributions, such as CentOS and Scientific Linux, will be affected by Red Hat's decision to reinstate previous updates for Specter Variant 2. So anyone using RHEL and distribution forks should also contact the CPU / OEM vendors.
Remember that CVE-2017-5715 is the identification number for one of the three errors known as Meltdown (CVE-2017-5754) and Specter (Variant 1 - CVE-2017-5753, but also Variant 2 - CVE-2017- 5715).
Most experts reported that only Meltdown and 1 Specter Variant could theoretically be addressed through an updated version of the OS, but Specter Variant 2 requires parallel updates to the firmware / BIOS / microcode to be fully repaired.
As we have said to you previous publication, Werner Haas, a Cyberus Technology spokesman and member of one of the three independent groups that discovered and reported Meltdown, said that achieving total protection against Specter is not simple and probably involves an "ongoing process" with corrections to software and hardware modifications.
"The script attacks [Spectre] is not that simple, as it is very possible to have cross-application attacks without the OS even being involved,” said Haas.
"Therefore, a general solution like Meltdown seems unlikely. Therefore, I expect combined repairs to hardware / software defects along with the warning that the fight against Spectre will be an ongoing process. "
The Specter repair process is complex and difficult for all hardware and software vendors. So the withdrawal of updates from Red Hat and the company's patching proposal from CPU makers and OEMs is no surprise.
Microsoft had to stop developing Specter updates on AMD computers after they encountered similar problems that prevented PCs from booting. The company released these updates much later after working with AMD to troubleshoot.
Intel is experiencing the same issues in older Broadwell processors and Haswell.
Let us mention that immediately after the announcement of the vulnerabilities CERT announced that the only way to repair Meltdown and Spectre was to replace the CPU.
“The underlying vulnerability is caused primarily by choices planning of CPU architecture," the CERT researchers wrote. "Full removal of the vulnerability requires replacing the vulnerable CPU."
A little later, and without knowing who was playing under the table, CERT recalled, and an Intel representative Agnes Kwan said: "CERT updated the vulnerability note to correct some inaccuracies."
Of course, we would not expect Intel to declare anything different, since the CERT report's assumption would cause strong turbulence in the company, with the corresponding cost.
