Security Vulnerability: Spectre side channel attack "Lazy FPU Save/Restore" aka CVE-2018-3665.
This document (7023076) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12
It was found that due to the "lazy" approach, the x86 FPU states or FPU / XMM / AVX512 register content, could leak across process, or even VM boundaries, giving attackers possibilities to read private data from other processes, when using speculative execution side channel gadgets.
which mitigates the security issue. This option has the default of "auto".
To date, the automatic default here was "on" for CPUs with the XSAVEOPT feature in modern Intel procesors (Broadwell/Haswell and newer), and "off" for all older CPUs.
- the 'eagerfpu=on' parameter was not correctly parsed on the kernel command line in 4.4 kernels prior to SLES12 SP3 kernel-4.4.138-94.39.1 and SLES12 SP2 kernel-4.4.121-92.85.1
- On SUSE Linux Enterprise Server 11, the kernel did not have this option before this update, but it has received a backport of the "eagerfpu" kernel option with this update.
SLES 12 SP3
- kernel 4.4.138-94.39.1
SLES 12 SP2 - LTSS
- kernel 4.4.121-92.85.1 (in QA)
SLES 12 SP1 - LTSS
- kernel 3.12.74-184.108.40.206
SLES 12 GA - LTSS
- kernel 3.12.61-52.136.1
SLES 11 SP4
- kernel 3.0.101-108.57.1
SLES 11 SP3 - LTSS
- kernel 3.0.101-0.47.106.35.1
- This issue also affects hypervisors like XEN, which will also change the behaviour to eager save/restore method.
- CPU Microcode changes are not needed to mitigate this issue.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7023076
- Creation Date:11-JUN-18
- Modified Date:01-JUL-18
- SUSESUSE Linux Enterprise Server