From 5c8fda139829334634b306f0afb15cb1e448de02 Mon Sep 17 00:00:00 2001 From: Lindacornwall <55097368+Lindacornwall@users.noreply.github.com> Date: Thu, 19 Oct 2023 16:03:57 +0100 Subject: [PATCH] Delete 2023/Advisory-EGI-SVG-CVE-2022-40982.md wrong File name --- 2023/Advisory-EGI-SVG-CVE-2022-40982.md | 182 ------------------------ 1 file changed, 182 deletions(-) delete mode 100644 2023/Advisory-EGI-SVG-CVE-2022-40982.md diff --git a/2023/Advisory-EGI-SVG-CVE-2022-40982.md b/2023/Advisory-EGI-SVG-CVE-2022-40982.md deleted file mode 100644 index 6e0a809..0000000 --- a/2023/Advisory-EGI-SVG-CVE-2022-40982.md +++ /dev/null @@ -1,182 +0,0 @@ ---- -title: Advisory-SVG-CVE-2022-40982 -permalink: /Advisory-SVG-CVE-2022-40982 ---- - -## Advisory-SVG-CVE-2022-40982 - -``` -Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk Intel Downfall Vulnerability -[EGI-SVG-CVE-2022-40982] - -Date: 2023-08-16 -Updated: 2023-10-19 - -Affected software and risk -========================== - -HIGH risk vulnerability concerning some Intel processors - -Package : Intel processor firmware -CVE ID : CVE-2022-40982 -CVSS Score : 6.5 [R 1] - -A potential security vulnerability in some IntelĀ® Processors may allow -information disclosure. Intel is releasing firmware updates and an optional -software sequence to mitigate this potential vulnerability. [R 2] [R 3] - - -Actions required/recommended -============================ - -Sites are recommended to check whether their processors are affected, and if -they are update when updates are available. - -Intel recommends that users of affected IntelĀ® Processors update to the -latest version firmware provided by the system manufacturer that addresses -these issues. - -Various linux providers have or plan to provide this intel microcode fix as -part of their distributions, and sites may find it more convenient to update -from this route. - -However, as there are reports of potentially significant, workflow-dependent -performance degradations that a site may deem unacceptable at this time, there -is a flag in the microcode to turn off the mitigation, as detailed further -e.g. in [R 4]. - - -Component installation information -================================== - -Sites who wish to update soon should see the intel page [R 1] - -Sites running RHEL should see [R 4], [R 5] - -Note that RedHat states that "this microcode update will be made available by -Red Hat in a further release of the `microcode_ctl` package. [R 4] - -**UPDATE 2023-10-19** -RedHat said on 6th October 2023 'Solution Verified' as the updating -of the microcode firmware to version 20230808 or later. - -Sites running CentOS should also see [R 4], [R 5], [R 6] - -Sites running Debian should see [R 7] - -Sites running Ubuntu should see [R 8] - -Sites running RockyLinux should see [R 9] - -Sites running Almalinux should see [R 10] - - -Mitigation -========== - -The vulnerability can be mitigated by installing updated CPU microcode, -Version 20230808 or later. [R 4] - - -More information -================ - -Although RedHat and others consider this to be 'Medium' risk, with a -CVSS score of 6.5, we the EGI SVG consider it to be 'High' risk because -for Grid and Cloud computing processors are accessible by a number of people. -In [R 3] for example, it states that in cloud computing environments, a -malicious customer could exploit the Downfall vulnerability to steal data -and credentials from other customers who share the same cloud computer. - -Some performance degradation has been reported resulting from these updates. -At present, we do not know to what extent grid and cloud workflows at EGI -sites may be affected. - -TLP and URL -=========== - -** WHITE information - Unimited distribution -- see https://confluence.egi.eu/display/EGIG/Traffic+Light+Protocol -for distribution restrictions ** - -URL: https://advisories.egi.eu/Advisory-SVG-CVE-2022-40982 - -Minor updates may be made without re-distribution to the sites. - -Comments -======== - -Comments or questions should be sent to svg-rat at mailman.egi.eu - -If you find or become aware of another vulnerability which is relevant -to EGI you may report it by e-mail to - -report-vulnerability at egi.eu - -the EGI Software Vulnerability Group will take a look according to the - procedure defined in [R 99]. - - -References -========== - -[R 1] https://nvd.nist.gov/vuln/detail/CVE-2022-40982 - -[R 2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html - -[R 3] https://downfall.page/ - -[R 4] https://access.redhat.com/solutions/7027704 - -[R 5] https://access.redhat.com/security/cve/CVE-2022-40982 - -[R 6] https://lists.centos.org/pipermail/centos-announce/ - -[R 7] https://security-tracker.debian.org/tracker/CVE-2022-40982 - -[R 8] https://ubuntu.com/security/CVE-2022-40982 - -[R 9] https://errata.build.resf.org/ - -[R 10] https://errata.almalinux.org/ - - -[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867 - -Credit -====== - -SVG was alerted to this vulnerability by the UK security team and again by - Maarten Litmaath. - -Timeline -======== -Yyyy-mm-dd [EGI-SVG-CVE-2022-40982] - -2023-08-09 SVG alerted to this issue by the UK security team -2023-08--- Investigation of vulnerability and relevance to EGI carried out -2023-08-15 EGI SVG Risk Assessment completed -2023-08-16 Advisory/Alert sent to sites -2023-10-19 Updated and placed on advisories.egi.eu - -Context -======= - -This advisory has been prepared as part of the effort to fulfil EGI SVG's -purpose "To minimize the risk to the EGI infrastructure arising from software -vulnerabilities" -The risk is that assessed by the group, according to the EGI SVG issue handling -procedure [R 99] in the context of how the software is used in the EGI -infrastructure. It is the opinion of the group, we do not guarantee it to be -correct. The risk may also be higher or lower in other deployments depending on -how the software is used. - ------------------------------ -This advisory is subject to the Creative commons licence -https://creativecommons.org/licenses/by/4.0/ -and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. ------------------------------ - - -On behalf of the EGI SVG, -```