14 DAY TRIAL // As promised earlier this week, Red Hat released software mitigations for all of its affected products against the recently disclosed Spectre Variant 4 security vulnerability that also affects its derivatives, including CentOS Linux.
On May 21, 2018, security researchers from Google Project Zero and Microsoft Security Response Center have publicly disclosed two new variants of the industry-wide issue known as Spectre, variants 3a and 4. The latter, Spectre Variant 4, is identified as CVE-2018-3639 and appears to have an important security impact on any Linux-based operating system, including all of its Red Hat's products and its derivatives, such as CentOS Linux.
Though its implementation is complex, Spectre Variant 4 could let an unprivileged attacker to read privileged memory and expose sensitive information by carrying targeted cache side-channel attacks. Red Hat released today a kernel update for Red Hat Enterprise Linux 7 systems on the x86_64 (64-bit) hardware architecture to mitigate the issue, but noted the fact that it cannot be fully patched through software updates.
"This issue is present in hardware and cannot be fully fixed via software update. The updated kernel packages provide software side of the mitigation for this hardware issue. To be fully functional, up-to-date CPU microcode applied on the system is required. Please refer to References section for further information about this issue, CPU microcode requirements and the potential performance impact," read Red Hat's security advisory.
CentOS Linux 7 now also patched against Spectre Variant 4
Affected Red Hat products include Red Hat Enterprise Linux Server 7, Red Hat Enterprise Linux Server - Extended Update Support 7.5, Red Hat Enterprise Linux Workstation 7, Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux for IBM z Systems 7, Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5, and Red Hat Enterprise Linux for Power, big endian 7.
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5, Red Hat Enterprise Linux for Scientific Computing 7, Red Hat Enterprise Linux EUS Compute Node 7.5, Red Hat Enterprise Linux for Power, little endian 7, Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.5, Red Hat Virtualization Host 4, Red Hat Enterprise Linux for ARM 64 7, Red Hat Enterprise Linux for Power 9 7, and Red Hat Enterprise Linux for IBM System z (Structure A) 7 are also affected.
Being based on the Red Hat Enterprise Linux 7 operating system series, the CentOS Linux 7 open-source clone recently received mitigations for the Spectre Variant 4 security vulnerability based o the upstream kernel. All CentOS Linux 7 users are urged to update their installations to kernel-3.10.0-862.3.2.el7.x86_64.rpm as soon as possible, and also install the latest microcode firmware updates from their respective CPU vendors (Intel or AMD).