Acer

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Amazon

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Addendum

There are no additional comments at this time.

AMD

Updated:  January 03, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.amd.com/en/corporate/speculative-execution

Addendum

There are no additional comments at this time.

Android Open Source Project

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://source.android.com/security/bulletin/2018-01-01

Addendum

There are no additional comments at this time.

Apple

Updated:  February 02, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.apple.com/en-us/HT208394 https://support.apple.com/en-us/HT208397 https://support.apple.com/en-us/HT208403 https://support.apple.com/en-us/HT208401 https://support.apple.com/en-ca/HT208465

Addendum

https://twitter.com/aionescu/status/948609809540046849 https://twitter.com/ErrataRob/status/949088097475743744

Arm

Updated:  January 03, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://developer.arm.com/support/security-update https://developer.arm.com/-/media/Files/pdf/Cache_Speculation_Side-channels.pdf

Addendum

https://lwn.net/Articles/740393/

ASUSTeK Computer Inc.

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

CentOS

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://lists.centos.org/pipermail/centos-announce/2018-January/date.html

Addendum

There are no additional comments at this time.

Cisco

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel

Addendum

There are no additional comments at this time.

Citrix

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.citrix.com/article/CTX231399

Addendum

There are no additional comments at this time.

Debian GNU/Linux

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://security-tracker.debian.org/tracker/CVE-2017-5754

Addendum

There are no additional comments at this time.

Dell

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.dell.com/support/contents/us/en/19/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre

Addendum

There are no additional comments at this time.

DragonFly BSD Project

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://lists.dragonflybsd.org/pipermail/users/2018-January/313758.html

Addendum

There are no additional comments at this time.

F5 Networks, Inc.

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.f5.com/csp/article/K91229003

Addendum

There are no additional comments at this time.

Fedora Project

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://fedoramagazine.org/protect-fedora-system-meltdown/

Addendum

There are no additional comments at this time.

Fortinet, Inc.

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://fortiguard.com/psirt/FG-IR-18-002

Addendum

There are no additional comments at this time.

FreeBSD Project

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.freebsd.org/news/newsflash.html#event20180104:01

Addendum

There are no additional comments at this time.

Fujitsu

Updated:  January 11, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.ts.fujitsu.com/content/SideChannelAnalysisMethod.asp?lng=EN

Addendum

There are no additional comments at this time.

GIGABYTE

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Google

Updated:  January 03, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html https://support.google.com/faqs/answer/7622138

Addendum

There are no additional comments at this time.

Hewlett Packard Enterprise

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.hpe.com/us/en/services/security-vulnerability.html

Addendum

There are no additional comments at this time.

HP Inc.

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

IBM Corporation

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/

Addendum

There are no additional comments at this time.

Intel

Lenovo

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.lenovo.com/us/en/solutions/len-18282

Addendum

There are no additional comments at this time.

Linux Kernel

Updated:  January 04, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://lkml.org/lkml/2017/11/22/956 https://lkml.org/lkml/2018/1/4/174 https://lkml.org/lkml/2018/1/4/615

Addendum

There are no additional comments at this time.

Microsoft

Updated:  January 11, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/ https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/ https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/ https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

Addendum

Note that Windows systems without antivirus do not appear to receive the ADV180002 update automatically. In order to receive the update through Windows Update, run the following command: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0 /f If a third-party antivirus product does not explicitly indicate compatibility with to the protections provided by ADV180002 using the above registry value, the system will not automatically receive the ADV180002 update or any other update from Microsoft via Windows Update as well. Once a system has the ADV180002 update installed, it must be manually activated using the following commands to make the appropriate registry changes: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f Also note that in addition to the above changes, ADV180002 requires CPU microcode updates to achieve full protection. In some cases, Windows Update may not automatically install the ADV180002 update. An unofficial spreadsheet of antivirus vendor compatibility with this update is maintained here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true On systems that have not received the ADV180002 update automatically, you may have to install the update manually. Please see https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution for more details. To verify that your Windows system has protections against Meltdown and Spectre variant 2, in a PowerShell session running with Administrator privileges, run: Install-Module SpeculationControl If this fails, you may need to install PackageManagement PowerShell Modules Get-SpeculationControlSettings If this fails, you may need to change your PowerShell ExecutionPolicy setting: Set-ExecutionPolicy RemoteSigned Once you are satisfied with the PowerShell output, you can revert the ExecutionPolicy setting back to the default Restricted setting by running: Set-ExecutionPolicy Restricted The output of this PowerShell command will indicate the status of whether the CPU has the required microcode update, whether Windows has the required software update installed, and whether the mitigations are enabled. Any setting that indicates "False" is an indicator of incomplete protection from Meltdown and/or Spectre. For example, a system that has the ADV180002 update properly installed and enabled, but is missing the CPU microcode update to fully enable the protections will show output like this: Once the CPU microcode is updated on such a system (e.g. by way of a BIOS update) , the output will look like this, which indicates that the protections that Microsoft have released are fully enabled: If the above PowerShell command indicates "Windows OS support for PCID optimization is enabled: False", this is a symptom of using a processor that doesn't support process context identifiers (PCID). Such processors cannot take advantage of the performance optimization that avoids a TLB flush. If the above PowerShell command indicates "Hardware requires kernel VA shadowing: False", this is a symptom of using a processor that doesn't require mitigations for CVE-2017-5754 (Meltdown). Also note that Microsoft has not yet provided protection for CVE-2017-5754 (Meltdown) on affected 32-bit platforms.

Mozilla

Updated:  January 03, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

Addendum

There are no additional comments at this time.

NetApp

Updated:  January 08, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

security.netapp.com/advisory/ntap-20180104-0001/

Addendum

There are no additional comments at this time.

NetBSD

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

NVIDIA

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://nvidia.custhelp.com/app/answers/detail/a_id/4609 http://nvidia.custhelp.com/app/answers/detail/a_id/4611 http://nvidia.custhelp.com/app/answers/detail/a_id/4613 http://nvidia.custhelp.com/app/answers/detail/a_id/4614 https://www.nvidia.com/en-us/product-security/

Addendum

There are no additional comments at this time.

OpenBSD

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://marc.info/?l=openbsd-tech&m=151521435721902&w=2

Addendum

There are no additional comments at this time.

openSUSE project

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html

Addendum

There are no additional comments at this time.

Oracle Corporation

Updated:  February 23, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.theregister.co.uk/2018/01/16/oracle_quarterly_patches_jan_2018/

Addendum

There are no additional comments at this time.

QUALCOMM Incorporated

Updated:  January 11, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The Register has published the following: https://www.theregister.co.uk/2018/01/06/qualcomm_processor_security_vulnerabilities/

Raspberry Pi

Updated:  January 08, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

Addendum

There are no additional comments at this time.

Red Hat, Inc.

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&documentKind=PortalProduct

Addendum

There are no additional comments at this time.

Samsung Semiconductor Inc.

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

SUSE Linux

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/ http://lists.suse.com/pipermail/sle-security-updates/2018-January/date.html

Addendum

There are no additional comments at this time.

Synology

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.synology.com/en-global/support/security/Synology_SA_18_01

Addendum

There are no additional comments at this time.

Technicolor

Updated:  January 08, 2018

Status

  Not Affected

Vendor Statement

Both Spectre and Meltdown attacks presupposed “open platforms”, where additional code can be added by a non-privileged user. The Technicolor products are not open platforms. Even where 3rd party application can run in containers and can be managed via Life Cycle Management, these applications are validated and signed before they can be installed on the platform. Technicolor is currently working with its vendors to identify if additional layers of protection are needed. Yet, as the current platforms are closed and have secure bootloading mechanism in place, there is no risk and no privilege acquired by an attacker in exploiting such an attack on Technicolor's devices.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Toshiba Corporation

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Trend Micro

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://success.trendmicro.com/solution/1119183-important-information-for-trend-micro-solutions-and-microsoft-january-2018-security-updates

Addendum

There are no additional comments at this time.

Ubuntu

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

Addendum

There are no additional comments at this time.

VMware

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.vmware.com/security/advisories/VMSA-2018-0002.html

Addendum

There are no additional comments at this time.

Xen

Updated:  January 24, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://xenbits.xen.org/xsa/advisory-254.html https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/

Addendum

There are no additional comments at this time.