Oracle's latest Linux fixes: New Spectre, Lazy FPU patches beef up defenses
Video: Intel says it can't protect all chips vulnerable to Meltdown and Spectre.
Meltdown-Spectre
Oracle has released patches for the latest Spectre CPU flaws and a fix for the Lazy floating-point unit (FPU) state restore issue affecting Intel CPUs.
Oracle's updates address the Spectre CPU flaws revealed in May, including CVE-2018-3640, also known as Spectre variant 3a, and CVE-2018-3639, Spectre variant 4.
The fix for Spectre version 4 needs both software and microcode updates, while fixing Spectre version 3a only requires microcode updates.
Oracle has released software-based patches for Oracle Linux and Oracle VM with Intel's microcode updates for x86 hardware.
Oracle director of security assurance, Eric Maurice, said the company will release more microcode updates and firmware patches as they become available from Intel.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Oracle has also released updates for Red Hat Compatible Kernel (RHCK) to address CVE-2018-3665, the Lazy FPU issue that affects operating systems and VMs running on x86 microprocessors.
This update can be installed using Oracle's Ksplice tool for patching Oracle Linux.
Ksplice updates are also available for Oracle Unbreakable Enterprise Kernel Release 4 (UEKR4) on Oracle Linux 6 and Oracle Linux 7, which bring additional improved fixes for Spectre variant 2, and Spectre variant 3a.
Under Single Thread Indirect Branch Predictors (STIBP) enable failure, Oracle notes: "Incorrect masking could prevent the STIBP feature of the IA32_SPEC_CTRL MSR from being set. Guests that used the STIBP feature to mitigate Spectre v2 would not be fully mitigated."
That update also includes a fix for Spectre Variant 3a specific to AMD systems.
"The original vendor fix for CVE-2018-3639 did not expose the mitigation to KVM guests on AMD or correctly handle symmetric multithreading (SMT) systems.
"This update enables the speculative store bypass mitigation full time to protect guests and SMT systems by default on AMD systems and can be manually enabled/disable by writing 1/0 to /proc/sys/vm/ksplice_ssbd_control. The /proc/sys/vm/ksplice_ssbd_status file reports the current mitigation status," Oracle notes.
Previous and related coverage
Another day, another Intel CPU security hole: Lazy State
Intel has announced that there's yet another CPU security bug in its Core-based microprocessors.
Meltdown-Spectre: Oracle's critical patch update offers fixes against CPU attacks
The enterprise software giant is working on Spectre fixes for Solaris on Sparc V9.
New Spectre variant 4: Our patches cause up to 8% performance hit, warns Intel
Intel's Spectre variant 4 patch will be off by default, but users who turn it on are likely to see slower performance.
Spectre chip security vulnerability strikes again; patches incoming
Are 8 new 'Spectre-class' flaws in Intel CPUs about to be exposed?
Reports are emerging of eight new 'Spectre-class' security CPU vulnerabilities.
Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets
A new variant of Spectre can expose the contents of memory that normally can't be accessed by the OS kernel.
Microsoft to Windows users: Here are new critical Intel security updates for Spectre v2
Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.
Windows 10 on AMD? This new update plus Microsoft's patch block Spectre attacks
AMD has released microcode updates for Spectre variant 2 that require Microsoft's latest Windows 10 patch.
Intel: We now won't ever patch Spectre variant 2 flaw in these chips
A handful of CPU families that Intel was due to patch will now forever remain vulnerable.
Windows 7 Meltdown patch opens worse vulnerability: Install March updates now
Microsoft's Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.
Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode
Intel makes progress on reissuing stable microcode updates against the Spectre attack.
Got an old PC? Find out whether you will get Intel's latest Spectre patch (TechRepublic)
Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.
Class-action suits over Intel Spectre, Meltdown flaws surge (CNET)
Since the beginning of 2018, the number of cases has risen from three to 32.