| This article is regularly updated with information regarding these vulnerabilities |
This document serves to be a reference to assist with the following:
Overview of the Meltdown and Spectre vulnerabilities
For a further overview of both the Meltdown and Spectre vulnerabilities please see the following Ivanti Blog Post: https://www.ivanti.com/blog/meltdown-spectre-need-know/
Meltdown - CVE Notice # CVE-2017-5754 More information from the National Vulnerability Database: NVD - CVE-2017-5754
Spectre Variant 1 - CVE Notice # CVE-2017-5753 More information from the National Vulnerability Database: NVD - CVE-2017-5753
Spectre Variant 2 - CVE Notice # CVE-2017-5715 More information from the National Vulnerability Database: NVD - CVE-2017-5715
These CVE and NVD entries contain lists of advisories, solutions, and tools regarding these vulnerabilities. CVE is a reference method for publicly known IT vulnerabilities and exposures.
Meltdown and Spectre are vulnerabilities that affect various computer processors including Intel x86 processors and some ARM-based processors. Due to this, we will cover how to mitigate this through the features of Ivanti EPM. Meltdown affects a very large range of computers, cell phones, tablets, etc. Thus this touches some of the systems that you manage with Ivanti EPM. (Examples are servers, desktops, cell phones and other mobile devices) In January of 2018, it was disclosed along with another exploit called "Spectre" with which it shares some but not all characteristics. Meltdown patches may introduce some amount of performance loss, however, it is not as high as initially reported. On January 18th, 2018 unwanted reboots and other stability issues were reported due to patches applied for the mitigation of these vulnerabilities. Due to this newer updates have been released. All updates will be addressed later in the document underneath the OS Updates section.
OS Updates
Windows Updates
Changes to expect in the Ivanti Content:
- With the Ivanti Content release on 04/25/2018, we will be removing detection only patches for machines that do not have the AV registry entry as per the Microsoft article referenced below and will be offering the patches in this document to applicable machines.
We highly suggest all customers review these issues here: https://support.microsoft.com/en-us/help/4072699
Quote:We are lifting the AV compatibility check for Windows security updates for supported Windows 7 SP1 and Windows 8.1 devices via Windows Update. We continue to require that AV software be compatible, and in cases where there are known issues of AV driver compatibility, we will block those devices from updates to avoid any issues. We recommend customers check with their AV provider on compatibility of their installed AV software product.
This section describes available Patch and Compliance definitions that can be delivered through the EPM Patch and Compliance tool.
If your patches are not installing and you expect them to be, it may be due to a registry key that Microsoft requires to be present prior to installing the patches. This protects against potential incompatibility with Anti-malware software that may cause blue screen crashes.
For more information see About Antivirus products and the Meltdown and Spectre security vulnerabilities
New 01/29/2018 Important update for all operating systems
Due to this, you will need to choose whether to disable installation (or roll back) mitigation of the Spectre 2 variant patch, or you will choose to enable installation of these patches. You do not need to disable or enable any of the definitions for the patches, you simply need to choose whether to repair for MSNS18-01-4078130_INTL which DISABLES installing the specific patches, or choose to repair IVA18-001_INTL which ENABLES installing the specific patches. (Remove one or the other from your Scan group accordingly)
Microsoft news about this patch release: https://support.microsoft.com/en-us/help/4078130/update-to-disable-mitigation-against-spectre-variant-2 .
Article from Intel:https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
To disable installing patches that were to mitigate the Spectre Variant 2 fixes
Note: If you choose to install the following patch, make sure you are not scanning for and repairing IVA18-001_INTL as they are essentially opposites and will cause reboots loops due to constant detection and repair.
| Ivanti ID | Microsoft KB # | Ivanti Publish Date |
|---|---|---|
| MSNS18-01-4078130_INTL | KB4078130 | 01/29/2018 |
To enable installing patches that mitigate the Spectre Variant 2 fixes
Note: If you choose to install the following patch of IVA18-001, make sure you are not scanning for and repairing MSNS18-01-4078130_INTL as they are essentially opposites and will cause reboots loops due to constant detection and repair.
| Ivanti ID | Microsoft KB # | Ivanti Publish Date |
|---|---|---|
| IVA18-001_INTL | 4072698 | 01/29/2018 |
This article contains the latest information on Windows Patches available to mitigate these issues:
Ivanti Patch News Bulletin: Microsoft has Released its Security Bulletins for February 2018
Patches are often superceded by another newer patch that contains additional fixes or migitates problems with prior patches. It is expected that most if not all of these patches will be superceded, likely in the near future as Intel and Microsoft acquire more information about the issue.
It is important to keep your definitions cleaned up so you are only scanning and repairing the latest patches.
To manage your Patch Content effectively seeHow To: Manage Superceded Patches in Patch and Compliance Manager
Note: As of 01/17/2018 for all OS Versions all Windows patches for 32-bit systems do not provide Meltdown mitigations. This is a Windows Patch issue, not an Ivanti Patch issue. Microsoft statement on this issue: "Addressing a hardware vulnerability through a software update presents significant challenges, and mitigations for older operating systems require extensive architectural changes. We are working with affected chip manufacturers to determine the best way to provide mitigations for x86 customers. These may be delivered in future updates."
macOS and iOS updates
Apple included mitigations for macOS 10.13.2 and iOS 11.2 released in December. It has since followed up with additional mitigations with the just-released Apple macOS Supplemental Update: About speculative execution vulnerabilities in ARM-based and Intel CPUs - Apple Support
Linux and Unix updates
Centos 6
| Ivanti ID | Type of update | More Info URL | Date Published |
|---|---|---|---|
| CESA-2018-0093 | microcode_ctl | https://access.redhat.com/errata/RHSA-2018:0093 | 01/17/2018 |
| CESA-2018:0013 | microcode_ctl | https://access.redhat.com/errata/RHSA-2018:0013 | 01/04/2018 |
| CESA-2018-0061 | libvert | https://access.redhat.com/errata/RHSA-2018:0030 | 01/04/2018 |
| CESA-2018:0008 | kernel | https://access.redhat.com/errata/RHSA-2018:0013 | 01/04/2018 |
| CESA-RHSA-2018:0024 | qemu-kvm | https://access.redhat.com/errata/RHSA-2018:0024 | 01/04/2018 |
Centos 7
| Ivanti ID | Type of update | More Info URL | Date Published |
|---|---|---|---|
| CESA-2018:0094 | linux-firmware | https://access.redhat.com/errata/RHSA-2018:0094 | 01/17/2018 |
| CESA-2018:0007 | kernel | https://access.redhat.com/errata/RHSA-2018:0007 | 01/04/2018 |
| CESA-2018:0014 | linux-firmware | https://access.redhat.com/errata/RHSA-2018:0014 | 01/04/2018 |
| CESA-2018:0012 | microcode_ctl | https://access.redhat.com/errata/RHSA-2018:0012 | 01/04/2018 |
| CESA-2018:0029 | libvirt | https://access.redhat.com/errata/RHSA-2018:0029 | 01/04/2018 |
| CESA-2018:0023 | qemu-kvm | https://access.redhat.com/errata/RHSA-2018:0023 | 01/04/2018 |
Redhat Enterprise
| Ivanti ID | Type of update | More Info URL | Date Published |
|---|---|---|---|
| RHSA-2018-0093 | microcode_ctl | https://access.redhat.com/errata/RHSA-2018:0093 | 01/17/2018 |
| RHSA-2018-0094 | linux-firmware | https://access.redhat.com/errata/RHSA-2018:0094 | 01/17/2018 |
| RHSA-2018-0030 | libvert | https://access.redhat.com/errata/RHSA-2018:0030 | 01/05/2018 |
| RHSA-2018-0024 | qemu-kvm | https://access.redhat.com/errata/RHSA-2018:0024 | 01/04/2018 |
| RHSA-2018-0023 | qemu-kvm | https://access.redhat.com/errata/RHSA-2018:0023 | 01/04/2018 |
| RHSA-2018-0012 | microcode_ctl | https://access.redhat.com/errata/RHSA-2018:0012 | 01/04/2018 |
| RHSA-2018-0014 | linux-firmware | https://access.redhat.com/errata/RHSA-2018:0014 | 01/04/2018 |
| RHSA-2018-0007 | kernel | https://access.redhat.com/errata/RHSA-2018:0007 | 01/04/2018 |
| RHSA-2018-0008 | kernel | https://access.redhat.com/errata/RHSA-2018:0008 | 01/04/2018 |
| RHSA-2018-0013 | microcode_ctl | https://access.redhat.com/errata/RHSA-2018:0013 | 01/04/2018 |
Ubuntu
| Ivanti ID | Type of update | More Info URL | Date Published |
|---|---|---|---|
| USN-3530-1 | WebKitGTK | USN-3530-1: WebKitGTK+ vulnerabilities | Ubuntu | 01/11/2018 |
| USN-3531-1 | intel-microcode | USN-3531-1: Intel Microcode update | Ubuntu | 01/11/2018 |
| USN-3522-4 | linux-lts-xenia | USN-3522-4: Linux kernel (Xenial HWE) regression | Ubuntu | 01/10/2018 |
| USN-3523-2 | linux-hwe, linux-azure, linux-gcp, linux-oem | USN-3523-2: Linux kernel (HWE) vulnerabilities | Ubuntu | 01/10/2018 |
| USN-3522-3 | linux regression | USN-3522-3: Linux kernel regression | Ubuntu | 01/10/2018 |
| USN-3522-2 | linux-lts-xenial, linux-aws | USN-3522-2: Linux (Xenial HWE) vulnerability | Ubuntu | 01/09/2018 |
| USN-3522-1 | linux, linux-aws, linux-euclid, linux-kvm | USN-3522-1: Linux kernel vulnerability | Ubuntu | 01/09/2018 |
Browser Vulnerabilities
| Edge | Internet Explorer | Google Chrome | Firefox | Opera | |
|---|---|---|---|---|---|
| Earliest Recommended Version | Varies per build number | Varies per OS | 64.0.3282.167 | 58.0.2 | 51.0.2830.26 |
| Ivanti Patch Definition ID | MS18-02-W10_INTL | MS18-02-IE_INTL | Chrome-216_INTL | FF18-004_INTL or newer | OPERA-155_INTL |
BIOS, Firmware and Driver updates
Ivanti EPM Patch and Compliance provides content for several vendor's BIOS and driver updates. It is recommended to follow the advice of the vendor and to update your systems accordingly.
As a convenience we offer some links to vendor websites relating to this issue:
Dell: Meltdown and Spectre Vulnerabilities | Dell US
HP: HPSBHF03573 rev. 7 - Side-Channel Analysis Method | HP® Customer Support
Lenovo: Reading Privileged Memory with a Side Channel
Most vendors have pulled their BIOS updates pending new changes from the CPU vendors.
Further Information: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners
These vendor links are provided for convenience. They may quickly become outdated and there may be better links provided by the vendor.
Antivirus software and possible compatibility issues with OS patches
See the following article for information specific regarding antivirus compatibility including Ivanti Antivirus: About Antivirus products and the Meltdown and Spectre security vulnerabilities