Acer

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Amazon

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

AMD

Updated:  January 03, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.amd.com/en/corporate/speculative-execution

Android Open Source Project

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://source.android.com/security/bulletin/2018-01-01

Apple

Updated:  February 02, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.apple.com/en-us/HT208394 https://support.apple.com/en-us/HT208397 https://support.apple.com/en-us/HT208403 https://support.apple.com/en-us/HT208401 https://support.apple.com/en-ca/HT208465

Addendum

https://twitter.com/aionescu/status/948609809540046849 https://twitter.com/ErrataRob/status/949088097475743744

Arm

Updated:  January 03, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://developer.arm.com/support/security-update https://developer.arm.com/-/media/Files/pdf/Cache_Speculation_Side-channels.pdf

Addendum

https://lwn.net/Articles/740393/

ASUSTeK Computer Inc.

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CentOS

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://lists.centos.org/pipermail/centos-announce/2018-January/date.html

Cisco

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel

Citrix

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.citrix.com/article/CTX231399

Debian GNU/Linux

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://security-tracker.debian.org/tracker/CVE-2017-5754

Dell

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.dell.com/support/contents/us/en/19/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre

DragonFly BSD Project

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://lists.dragonflybsd.org/pipermail/users/2018-January/313758.html

F5 Networks, Inc.

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.f5.com/csp/article/K91229003

Fedora Project

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://fedoramagazine.org/protect-fedora-system-meltdown/

Fortinet, Inc.

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://fortiguard.com/psirt/FG-IR-18-002

FreeBSD Project

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.freebsd.org/news/newsflash.html#event20180104:01

Fujitsu

Updated:  January 11, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.ts.fujitsu.com/content/SideChannelAnalysisMethod.asp?lng=EN

GIGABYTE

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google

Updated:  January 03, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html https://support.google.com/faqs/answer/7622138

Hewlett Packard Enterprise

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.hpe.com/us/en/services/security-vulnerability.html

HP Inc.

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.ibm.com/blogs/psirt/potential-cpu-security-issue/

Intel

Lenovo

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.lenovo.com/us/en/solutions/len-18282

Linux Kernel

Updated:  January 04, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://lkml.org/lkml/2017/11/22/956 https://lkml.org/lkml/2018/1/4/174 https://lkml.org/lkml/2018/1/4/615

Microsoft

Updated:  January 11, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/ https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/ https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/ https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

Addendum

Note that Windows systems without antivirus do not appear to receive the ADV180002 update automatically. In order to receive the update through Windows Update, run the following command: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0 /f If a third-party antivirus product does not explicitly indicate compatibility with to the protections provided by ADV180002 using the above registry value, the system will not automatically receive the ADV180002 update or any other update from Microsoft via Windows Update as well. Once a system has the ADV180002 update installed, it must be manually activated using the following commands to make the appropriate registry changes: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f Also note that in addition to the above changes, ADV180002 requires CPU microcode updates to achieve full protection. In some cases, Windows Update may not automatically install the ADV180002 update. An unofficial spreadsheet of antivirus vendor compatibility with this update is maintained here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true On systems that have not received the ADV180002 update automatically, you may have to install the update manually. Please see https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution for more details. To verify that your Windows system has protections against Meltdown and Spectre variant 2, in a PowerShell session running with Administrator privileges, run: Install-Module SpeculationControl If this fails, you may need to install PackageManagement PowerShell Modules Get-SpeculationControlSettings If this fails, you may need to change your PowerShell ExecutionPolicy setting: Set-ExecutionPolicy RemoteSigned Once you are satisfied with the PowerShell output, you can revert the ExecutionPolicy setting back to the default Restricted setting by running: Set-ExecutionPolicy Restricted The output of this PowerShell command will indicate the status of whether the CPU has the required microcode update, whether Windows has the required software update installed, and whether the mitigations are enabled. Any setting that indicates "False" is an indicator of incomplete protection from Meltdown and/or Spectre. For example, a system that has the ADV180002 update properly installed and enabled, but is missing the CPU microcode update to fully enable the protections will show output like this: Once the CPU microcode is updated on such a system (e.g. by way of a BIOS update) , the output will look like this, which indicates that the protections that Microsoft have released are fully enabled: If the above PowerShell command indicates "Windows OS support for PCID optimization is enabled: False", this is a symptom of using a processor that doesn't support process context identifiers (PCID). Such processors cannot take advantage of the performance optimization that avoids a TLB flush. If the above PowerShell command indicates "Hardware requires kernel VA shadowing: False", this is a symptom of using a processor that doesn't require mitigations for CVE-2017-5754 (Meltdown). Also note that Microsoft has not yet provided protection for CVE-2017-5754 (Meltdown) on affected 32-bit platforms.

Mozilla

Updated:  January 03, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

NetApp

Updated:  January 08, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

security.netapp.com/advisory/ntap-20180104-0001/

NetBSD

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NVIDIA

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://nvidia.custhelp.com/app/answers/detail/a_id/4609 http://nvidia.custhelp.com/app/answers/detail/a_id/4611 http://nvidia.custhelp.com/app/answers/detail/a_id/4613 http://nvidia.custhelp.com/app/answers/detail/a_id/4614 https://www.nvidia.com/en-us/product-security/

OpenBSD

Updated:  January 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://marc.info/?l=openbsd-tech&m=151521435721902&w=2

openSUSE project

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00001.html

Oracle Corporation

Updated:  February 23, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.theregister.co.uk/2018/01/16/oracle_quarterly_patches_jan_2018/

QUALCOMM Incorporated

Updated:  January 11, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The Register has published the following: https://www.theregister.co.uk/2018/01/06/qualcomm_processor_security_vulnerabilities/

Raspberry Pi

Updated:  January 08, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

Red Hat, Inc.

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&documentKind=PortalProduct

Samsung Semiconductor Inc.

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/ http://lists.suse.com/pipermail/sle-security-updates/2018-January/date.html

Synology

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.synology.com/en-global/support/security/Synology_SA_18_01

Technicolor

Updated:  January 08, 2018

Status

  Not Affected

Vendor Statement

Both Spectre and Meltdown attacks presupposed “open platforms”, where additional code can be added by a non-privileged user. The Technicolor products are not open platforms. Even where 3rd party application can run in containers and can be managed via Life Cycle Management, these applications are validated and signed before they can be installed on the platform. Technicolor is currently working with its vendors to identify if additional layers of protection are needed. Yet, as the current platforms are closed and have secure bootloading mechanism in place, there is no risk and no privilege acquired by an attacker in exploiting such an attack on Technicolor's devices.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Toshiba Corporation

Updated:  January 05, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Trend Micro

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://success.trendmicro.com/solution/1119183-important-information-for-trend-micro-solutions-and-microsoft-january-2018-security-updates

Ubuntu

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

VMware

Updated:  January 05, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.vmware.com/security/advisories/VMSA-2018-0002.html

Xen

Updated:  January 24, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://xenbits.xen.org/xsa/advisory-254.html https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/