Original release: 01.26.2018
Latest Update: 03.20.2018
Security vulnerabilities (CVE 2017- 5715, CVE 2017- 5753, CVE 2017- 5754, SA-00088)
Malicious code utilizing a new method of side-channel analysis and running locally on a normally operating platform has the potential to allow the inference of data values from memory. This issue takes advantage of techniques commonly used in many modern processor architectures.
Elevation of Privilege / Information Disclosure
The exploits do not have the potential to corrupt, modify or delete data.
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.
Client Computing Devices
An overview of the affected LIFEBOOK/STYLISTIC products can be found here:
List of affected systems
An overview of the affected ESPRIMO/CELCIUS/FUTRO products can be found here:
List of affected systems
An overview of the affected PRIMERGY/PRIMEQUEST products can be found here:
List of affected systems
Fujitsu BS2000 Products
BS2000 Mainframes using /390 processors are not affected by this security issue.
Some of the BS2000 Mainframes use Intel processors. However, they are neither affected, as they run only system software provided by Fujitsu. The system software transforms user-created BS2000 applications into x86 programs. As a result, users cannot run their own x86 code to exploit the flaws. BS2000 systems are therefore safe and secure even without additional security patches.
For some optional BS2000 server components, such as Application Units, customers use other operating systems or hypervisors than BS2000 or VM2000. These customers should promptly deploy the patches provided by the respective manufacturer.
Fujitsu continues to monitor potential security issues for BS2000 products.
Fujitsu Storage Products
ETERNUS CS (CS200c, CS800, CS8000) appliances also use Intel processors. However, they are not affected by this security issue since they are self-contained data protection appliances. Only ETERNUS CS specific software is used; other software is not executed. The appliances’ safety settings ensure that only accesses required for operation are permitted. ETERNUS DX and AF series products are not affected by this vulnerability because no external program can be executed on them.
None of the ETERNUS LT (20, 40, 60, 260) libraries are affected by the Spectre & Meltdown processor bugs. Processors used in ETERNUS LT products are ARM Core based, but none are affected.
The processors used in Brocade SAN switch products are affected, however Brocade SAN products will only load and run officially signed Fabric OS firmware. Since only an officially signed and validated Fabric OS code image is allowed to run on a Brocade SAN hardware, the SAN switch products are not exploitable with respect to this specific set of vulnerabilities.
The ETERNUS CD10000 appliance also use Intel processors. However, they are not affected by this security issue since they are self-contained data protection appliances. Only ETERNUS CD10000 specific software is used; other software is not executed. The appliances’ safety settings ensure that only accesses required for operation are permitted.
Fujitsu Retail Products
Fujitsu Retail team is working closely with our technology partners, including Intel and Microsoft, to address these vulnerabilities as quickly as possible. Retail team will provide updates for affected systems as they become available. We advise all customers to update affected systems. Updates are provided through an updated version of BIOS and necessary patches for the Operating Systems.
|TP8 Series||BIOS R21 Update|
|Team PoS 7000S||V184.108.40.206 R1.44.0|
|TPX II 500 Series||X065|
|TeamPoS 7000 A||HR08|
|TeamPoS 7000 F||ZR09|
|TeamPoS 3600||Microsoft OS patches, No BIOS updates|
|MiniSCO||See Controller Type above|
|Mini Express||See Controller Type above|
|Genesis II||See Controller Type above|
|Genesis I (with TeamPoS 3600)||Microsoft OS patches, No BIOS updates|
|Impulse||See Controller Type above|
Side-Channel Analysis Method
|CVE 2017- 5715||Spectre, (branch target injection), mitigated by microcode update|
|CVE 2017- 5753||Spectre, (bounds check bypass), mitigated by OS level fix|
|CVE 2017- 5754||Meltdown, (rogue data cache load), mitigated by OS level fix|
Technical details of the exploits are documented online:
Referring to the recommendations made by third-party suppliers, Fujitsu strongly advises all customers to update affected products. Updates are provided through an updated version of the BIOS and the necessary patches for the dedicated operating system. Under some circumstances, enabling these updates may affect performance. The actual performance impact will depend on multiple factors, such as the specific CPU generation in your physical host and the system load (used application).
Fujitsu recommends that customers assess the performance impact for their system environment and make necessary adjustments.
The security of our products and our customers’ data is number one priority for Fujitsu. We are continuing to work with our partners in the industry to minimize any potential performance impact.
Fujitsu highly recommends customers to ensure that systems are physically secured where possible, and follow good security practices to ensure that only authorized personnel have access to devices.
Red Hat has released several advisories/updates for Red Hat products.
Please find further information on the Red Hat security page:
Citrix has released a security bulletin for XenServer.
Please find further information on the Citrix security page:
Information for further Citrix products can be found here:
VMware has released a security advisory for ESXi and other products.
Please find further information on the VMware security page:
All details of this communication have been prepared with care, based on the information available to Fujitsu at the time of publication. Fujitsu recommends that customers determine the applicability of this communication to their individual situations and take appropriate measures. However, Fujitsu does not warrant that this communication is accurate or complete for all customer situations. Fujitsu will not be responsible for any damages or other negative effects resulting from customer's use of this communication. All details of this communication are provided “as is” without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.
Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu assumes no liability with respect to the information and materials provided on such websites.
Designations may be trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.