Security vulnerability: Regression in SUSE Linux Enterprise 15 SP3 kernel caused by RETBLEED fixes

This document (000020704) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 Service Pack 3

Situation

The last kernel update for SUSE Linux Enterprise 15 SP3 (version 5.3.18-150300.59.81.1) is causing crashes and hangs during bootup due to a regression in the backported complex RETBLEED security fix mitigations.

Resolution

The kernel update version 5.3.18-150300.59.81.1 has been marked as "retracted" in the repositories, so while it will stay available, but it will not longer get installed by default anymore.

If this kernel has already been installed and is causing problems:
1. boot the buggy kernel with the following boot command line option to disable the buggy mitigation:

                spectre_v2=off

2. When the default multi-version setup is available, the previous kernel will still be installed, and the buggy one can be de-installed:

                rpm -q kernel-default

should show 2 or more lines. Either boot the previous kernel and/or de-install the buggy one with

               zypper rm kernel-default-5.3.18-150300.59.81.1

3. When only 1 kernel is installed, install the previous kernel release 5.3.18-150300.59.76.1, with e.g.:

                zypper in -f kernel-default-5.3.18-150300.59.76.1

Status

Security Alert

Additional Information

SUSE is preparing a fixed incremental kernel update that will be released in the next days.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.