Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2061
Views
0
Helpful
6
Replies

CSCvg97979 - Side Channel Analysis vulnerability - M4 servers

Go to solution
Sentillatiben Velaytham
Level 1
Level 1

‎01-08-2018 02:30 PM - edited ‎03-20-2019 09:48 PM

Hi CISCO , 

I believe the list of affected release is incomplete. I have had to open a TAC Support Case to confirm this and I was informed by the TAC Engineer that all other releases from 2.2(6)B are also affected by the vulnerability. It would be good if CISCO could update the list of the affected releases. 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Sentillatiben Velaytham
Level 1
Level 1
In response to Leo Laohoo

‎01-08-2018 08:00 PM

I am aware of that. My point is that CISCO bug id does not indicate that all other versions are impacted. I was able to see the details of the bug earlier - CSCvg97979. Initially it listed 2.2(0.6) B as the affected release. However , the link to the bug ID is not available. 

Anyways , thank you for the response. 

View solution in original post

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to Sentillatiben Velaytham

‎01-10-2018 12:11 PM

Even though the people who've discovered the vulnerabilities informed Intel (and other big companies) way back in April 2017, not everyone was proactive to issue a patch before the vulnerabilities were made public (except for Apple).
All UCS servers are affected, regardless of the firmware of CIMC currently loaded, and the fix will be released on 18 February 2018.
Unless you have highly valuable data in your UCS and highly coveted by industrial espionage, it has not yet been reported nor observed that someone has crafted an exploit to take advantage of these vulnerabilities.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎01-08-2018 03:09 PM

All UCS servers listed are affected because they're powered using Intel Xeon chips.
Others are still under investigation.
Fix will be released on 18 February 2018.
0 Helpful

Go to solution
Sentillatiben Velaytham
Level 1
Level 1
In response to Leo Laohoo

‎01-08-2018 08:00 PM

I am aware of that. My point is that CISCO bug id does not indicate that all other versions are impacted. I was able to see the details of the bug earlier - CSCvg97979. Initially it listed 2.2(0.6) B as the affected release. However , the link to the bug ID is not available. 

Anyways , thank you for the response. 

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to Sentillatiben Velaytham

‎01-10-2018 12:11 PM

Even though the people who've discovered the vulnerabilities informed Intel (and other big companies) way back in April 2017, not everyone was proactive to issue a patch before the vulnerabilities were made public (except for Apple).
All UCS servers are affected, regardless of the firmware of CIMC currently loaded, and the fix will be released on 18 February 2018.
Unless you have highly valuable data in your UCS and highly coveted by industrial espionage, it has not yet been reported nor observed that someone has crafted an exploit to take advantage of these vulnerabilities.
0 Helpful

Go to solution
Sentillatiben Velaytham
Level 1
Level 1
In response to Leo Laohoo

‎01-10-2018 01:59 PM

Thank you. Company is going through PCI Compliance review. This bit light's up like a like Christmas Tree in the compliance report. Its good that CISCO has a release date for the fix. 

0 Helpful

Go to solution
hostasaurus
Level 1
Level 1
In response to Leo Laohoo

‎01-15-2018 11:10 AM

Any idea why Cisco is requiring that much time to provide the release?  Most major server vendors have already released patches for CVE-2017-5715 mitigation.  I have multi-user systems so this is fairly critical. 

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to hostasaurus

‎01-15-2018 11:41 AM

@hostasaurus wrote:

I have multi-user systems so this is fairly critical. 

Reach out to your Cisco SE/AM and they should be able to provide more information.

0 Helpful
Customers Also Viewed These Support Documents