The impacts of the Google Project Zero team’s disclosure go beyond Intel, ARM, and AMD. Even IBM POWER is impacted by the latest security bug. IBM did a great job of keeping this quiet. IBM’s official announcement of the fixes came on the same day the Spectre and Meltdown vulnerability set was scheduled to be disclosed, January 9, 2018. At STH, we have received questions whether IBM POWER chips are impacted. The announcement confirms at least POWER7+, POWER8, and POWER9 are being patched for the speculative execution vulnerability.
IBM POWER Statement on Spectre and Meltdown Patches
Here is the official statement from IBM:
On Wednesday, January 3, researchers from Google announced a security vulnerability impacting microprocessors, including processors in the IBM POWER family.
This vulnerability doesn’t allow an external unauthorized party to gain access to a machine, but it could allow a party that has access to the system to access unauthorized data.
If this vulnerability poses a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place.
Complete mitigation of this vulnerability for Power Systems clients involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to these vulnerabilities and is a pre-requisite for the OS patch to be effective. These will be available as follows:
- Firmware patches for POWER7+ and POWER8 platforms are now available via FixCentral. POWER9 patches will be available on January 15. We will provide further communication on supported generations prior to POWER7+ including firmware patches and availability.
- Linux operating systems patches are now available through our Linux distribution partners Redhat, SUSE and Canonical.
- AIX and IBM i operating system patches will be available February 12. Information will be available via PSIRT.
Clients should review these patches in the context of their datacenter environment and standard evaluation practices to determine if they should be applied.
(Source: IBM)
As one can see, IBM POWER will require both firmware and OS patching to mitigate the impacts of its speculative execution exploit. Hopefully, IBM fares better than Intel in its initial firmware patching.