GTM-WDZTTQ6
Skip to main content
  1. Home >
  2. Support >
  3. Products >
  4. Side-Channel Analysis Method (Spectre & Meltdown) Security Review

Side-Channel Analysis Method (Spectre & Meltdown) Security Review

Fujitsu Communication

Original release: 01.26.2018
Latest Update: 03.20.2018

Reference:

Security vulnerabilities (CVE 2017- 5715Open a new windowCVE 2017- 5753Open a new windowCVE 2017- 5754Open a new windowSA-00088Open a new window)
Malicious code utilizing a new method of side-channel analysis and running locally on a normally operating platform has the potential to allow the inference of data values from memory. This issue takes advantage of techniques commonly used in many modern processor architectures.

Potential impact:

Elevation of Privilege / Information Disclosure
The exploits do not have the potential to corrupt, modify or delete data.

Affected Fujitsu products:

A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

Client Computing Devices
An overview of the affected LIFEBOOK/STYLISTIC products can be found here:
List of affected systems

An overview of the affected ESPRIMO/CELCIUS/FUTRO products can be found here: 
List of affected systems

Servers 
An overview of the affected PRIMERGY/PRIMEQUEST products can be found here:
List of affected systems

Fujitsu BS2000 Products
BS2000 Mainframes using /390 processors are not affected by this security issue.
Some of the BS2000 Mainframes use Intel processors. However, they are neither affected, as they run only system software provided by Fujitsu. The system software transforms user-created BS2000 applications into x86 programs. As a result, users cannot run their own x86 code to exploit the flaws. BS2000 systems are therefore safe and secure even without additional security patches.
For some optional BS2000 server components, such as Application Units, customers use other operating systems or hypervisors than BS2000 or VM2000. These customers should promptly deploy the patches provided by the respective manufacturer.
Fujitsu continues to monitor potential security issues for BS2000 products.

Fujitsu Storage Products
ETERNUS CS (CS200c, CS800, CS8000) appliances also use Intel processors. However, they are not affected by this security issue since they are self-contained data protection appliances. Only ETERNUS CS specific software is used; other software is not executed. The appliances’ safety settings ensure that only accesses required for operation are permitted. ETERNUS DX and AF series products are not affected by this vulnerability because no external program can be executed on them.
None of the ETERNUS LT (20, 40, 60, 260) libraries are affected by the Spectre & Meltdown processor bugs. Processors used in ETERNUS LT products are ARM Core based, but none are affected.
The processors used in Brocade SAN switch products are affected, however Brocade SAN products will only load and run officially signed Fabric OS firmware. Since only an officially signed and validated Fabric OS code image is allowed to run on a Brocade SAN hardware, the SAN switch products are not exploitable with respect to this specific set of vulnerabilities.
The ETERNUS CD10000 appliance also use Intel processors. However, they are not affected by this security issue since they are self-contained data protection appliances. Only ETERNUS CD10000 specific software is used; other software is not executed. The appliances’ safety settings ensure that only accesses required for operation are permitted.

Fujitsu Retail Products
Fujitsu Retail team is working closely with our technology partners, including Intel and Microsoft, to address these vulnerabilities as quickly as possible. Retail team will provide updates for affected systems as they become available. We advise all customers to update affected systems. Updates are provided through an updated version of BIOS and necessary patches for the Operating Systems.

Product Mitigation Action
TP8 Series BIOS R21 Update
Team PoS 7000S V4.6.5.4 R1.44.0
TPX II 500 Series X065
TeamPoS 7000 A HR08
TeamPoS 7000 F ZR09
TeamPoS 3600 Microsoft OS patches, No BIOS updates
MiniSCO See Controller Type above
Mini Express See Controller Type above
Genesis II See Controller Type above
Genesis I (with TeamPoS 3600) Microsoft OS patches, No BIOS updates
Impulse See Controller Type above

CVE Reference:

Side-Channel Analysis Method

CVE Number Name
CVE 2017- 5715Open a new window Spectre, (branch target injection), mitigated by microcode update
CVE 2017- 5753Open a new window Spectre, (bounds check bypass), mitigated by OS level fix
CVE 2017- 5754Open a new window Meltdown, (rogue data cache load), mitigated by OS level fix

Technical Details:

Technical details of the exploits are documented online:

Mitigation:

Referring to the recommendations made by third-party suppliers, Fujitsu strongly advises all customers to update affected products. Updates are provided through an updated version of the BIOS and the necessary patches for the dedicated operating system. Under some circumstances, enabling these updates may affect performance. The actual performance impact will depend on multiple factors, such as the specific CPU generation in your physical host and the system load (used application).
Fujitsu recommends that customers assess the performance impact for their system environment and make necessary adjustments.

The security of our products and our customers’ data is number one priority for Fujitsu. We are continuing to work with our partners in the industry to minimize any potential performance impact.

Fujitsu highly recommends customers to ensure that systems are physically secured where possible, and follow good security practices to ensure that only authorized personnel have access to devices.

Recommended steps:

  1. It is necessary to update the BIOS
  2. Consult the list of affected Fujitsu systems for the timing of BIOS availability.
  3. To download the respective updates for your system, please go to the Fujitsu Support pageOpen a new window and perform the following steps:
    • Select Product
    • Select Series
    • Select Model
    • Press Go
    • Download and install the latest BIOS update package

Selected links for operating system patches:

Microsoft Windows
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002Open a new window

Microsoft Server
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-executionOpen a new window

Red Hat
Red Hat has released several advisories/updates for Red Hat products.
Please find further information on the Red Hat security page:
https://access.redhat.com/security/vulnerabilities/speculativeexecutionOpen a new window

Citrix XenServer
Citrix has released a security bulletin for XenServer.
Please find further information on the Citrix security page:
https://support.citrix.com/article/CTX231390Open a new window

Information for further Citrix products can be found here:
https://support.citrix.com/article/CTX231399Open a new window

VMware
VMware has released a security advisory for ESXi and other products.
Please find further information on the VMware security page:
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.htmlOpen a new window

SUSE
https://www.suse.com/security/cve/CVE-2017-5753/Open a new window
https://www.suse.com/security/cve/CVE-2017-5715/Open a new window
https://www.suse.com/security/cve/CVE-2017-5754/Open a new window

myelux
http://www.unicon-software.com/en/home-en/protect-measures/Open a new window

ORACLE Linux
https://linux.oracle.com/cve/CVE-2017-5715.htmlOpen a new window
https://linux.oracle.com/cve/CVE-2017-5753.htmlOpen a new window
https://linux.oracle.com/cve/CVE-2017-5754.htmlOpen a new window

Note:

All details of this communication have been prepared with care, based on the information available to Fujitsu at the time of publication. Fujitsu recommends that customers determine the applicability of this communication to their individual situations and take appropriate measures. However, Fujitsu does not warrant that this communication is accurate or complete for all customer situations. Fujitsu will not be responsible for any damages or other negative effects resulting from customer's use of this communication. All details of this communication are provided “as is” without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.
Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu assumes no liability with respect to the information and materials provided on such websites.
Designations may be trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.