MGASA-2023-0249 - Updated microcode packages fix security vulnerabilities

Publication date: 23 Aug 2023
URL: https://advisories.mageia.org/MGASA-2023-0249.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-40982,
     CVE-2022-41804,
     CVE-2023-20569,
     CVE-2023-23908

This update adds initial microcode updates for AMD and Intel CPUs for the
following security issues:


AMD:
A side channel vulnerability in some of the AMD CPUs may allow an attacker
to influence the return address prediction. This may result in speculative
execution at an attacker-controlled instruction pointer register,
potentially leading to information disclosure (CVE-2023-20569).


Intel:
Information exposure through microarchitectural state after transient
execution in certain vector execution units for some Intel(R) Processors
may allow an authenticated user to potentially enable information disclosure
via local access (CVE-2022-40982, INTEL-SA-00828).

Unauthorized error injection in Intel(R) SGX or Intel(R) TDX for some 
Intel(R) Xeon(R) Processors may allow a privileged user to potentially
enable escalation of privilege via local access (CVE-2022-41804,
INTEL-SA-00837).

Improper access control in some 3rd Generation Intel(R) Xeon(R) Scalable
processors may allow a privileged user to potentially enable information
disclosure via local access (CVE-2023-23908, INTEL-SA-00836).

References:
- https://bugs.mageia.org/show_bug.cgi?id=32167
- https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html
- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00836.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00837.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41804
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23908

SRPMS:
- 8/nonfree/microcode-0.20230808-2.mga8.nonfree

Mageia 2023-0249: microcode security update

This update adds initial microcode updates for AMD and Intel CPUs for the following security issues: AMD:

Summary

This update adds initial microcode updates for AMD and Intel CPUs for the following security issues:

AMD: A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure (CVE-2023-20569).

Intel: Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access (CVE-2022-40982, INTEL-SA-00828).
Unauthorized error injection in Intel(R) SGX or Intel(R) TDX for some Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access (CVE-2022-41804, INTEL-SA-00837).
Improper access control in some 3rd Generation Intel(R) Xeon(R) Scalable processors may allow a privileged user to potentially enable information disclosure via local access (CVE-2023-23908, INTEL-SA-00836).

References

- https://bugs.mageia.org/show_bug.cgi?id=32167

- https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html

- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230808

- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html

- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00836.html

- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00837.html

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41804

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23908

Resolution

MGASA-2023-0249 - Updated microcode packages fix security vulnerabilities

SRPMS

- 8/nonfree/microcode-0.20230808-2.mga8.nonfree

Severity
Publication date: 23 Aug 2023
URL: https://advisories.mageia.org/MGASA-2023-0249.html
Type: security
CVE: CVE-2022-40982, CVE-2022-41804, CVE-2023-20569, CVE-2023-23908

Related News