CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
13.3%
Systems with microprocessors utilizing speculative execution and address
translations may allow unauthorized disclosure of information residing in
the L1 data cache to an attacker with local user access with guest OS
privilege via a terminal page fault and a side-channel analysis.
Author | Note |
---|---|
tyhicks | A microcode update will be provided to allow the kernel to flush the L1D cache on VM entry. However, the kernel has a software fallback mechanism in place when microcode updates are not available/installed. The break-fix lines for this CVE are not complete since a large number of patches are required to mitigate this issue. The commit(s) listed are chosen as placeholders for automated CVE triage purposes. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | intel-microcode | < 3.20180807a.0ubuntu0.18.04.1 | UNKNOWN |
ubuntu | 14.04 | noarch | intel-microcode | < 3.20180807a.0ubuntu0.14.04.1 | UNKNOWN |
ubuntu | 16.04 | noarch | intel-microcode | < 3.20180807a.0ubuntu0.16.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux | < 4.15.0-32.35 | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < 3.13.0-155.205 | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < 4.4.0-133.159 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < 4.15.0-1019.19 | UNKNOWN |
ubuntu | 14.04 | noarch | linux-aws | < 4.4.0-1027.30 | UNKNOWN |
ubuntu | 16.04 | noarch | linux-aws | < 4.4.0-1065.75 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-azure | < 4.15.0-1021.21 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2018-3646
nvd.nist.gov/vuln/detail/CVE-2018-3646
security-tracker.debian.org/tracker/CVE-2018-3646
ubuntu.com/security/notices/USN-3740-1
ubuntu.com/security/notices/USN-3740-2
ubuntu.com/security/notices/USN-3741-1
ubuntu.com/security/notices/USN-3741-2
ubuntu.com/security/notices/USN-3742-1
ubuntu.com/security/notices/USN-3742-2
ubuntu.com/security/notices/USN-3756-1
ubuntu.com/security/notices/USN-3823-1
wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF
www.cve.org/CVERecord?id=CVE-2018-3646
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:C/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
13.3%