cancel
Showing results for 
Search instead for 
Did you mean: 
ltwagnon
Legacy Employee
Legacy Employee

The "Spectre" and "Meltdown" vulnerabilities affect almost every computer in the world.  One of the very interesting things about each of these vulnerabilities is that they target the hardware (processor) of the computer rather than the software.  Intel is the leading computer processor manufacturer in the world, and most Intel processors are vulnerable to both Spectre and Meltdown.  Other manufacturers' computer processors are vulnerable as well.  These vulnerabilities can allow an attacker to view the entire contents of the memory on a victim's computer.  Because so much sensitive data is stored in memory (passwords, personal information, etc), these attacks can be devestating.  Watch the video below to learn more about Spectre and Meltdown and how they work.


 

March 21, 2018 UPDATE

F5 has released BIG-IP v12.1.3.3 and v13.1.0.4. These versions include fixes for the SPECTRE variant 1 (CVE-2017-5753) and MELTDOWN (CVE-2017-5754) vulnerabilities. 

The official documentation of these vulnerabilities and details on fixed versions is available from https://support.f5.com/csp/article/K91229003.

Related Resources:

Comments
Fulmetal
Nimbostratus
Nimbostratus

Simply and clearly explained ... Thanks very much John ! Impact on clouds environnements can be very sad ! Isn't it ! And even on mobile phones where we could have some leak of my bank apps from my funny and unprotected bullets game ( that i use on the metro to have fun ...)

 

!

 

zack
Altostratus
Altostratus

Thanks for the great and in time update!!!

 

John, a quick question, just curious about whether ASM can have any signature released to help detect/block Spectre and Meltdown?

 

ltwagnon
Legacy Employee
Legacy Employee

hi zack. great question! because the Spectre and Meltdown vulnerabilities are targeted at the hardware (processor) of a computer, I don't think any ASM signatures will be effective for these. The ASM signatures will catch Layer 7 network requests and block malicious content from a client accessing a web application. The Spectre and Meltdown vulnerabilities happen outside the realm of the traditional network layers. That said, there are some browser JavaScript issues related to these vulnerabilities, and one of F5 security experts (Nir Zigler) just posted a good article about how ASM can help mitigate some of those issues. Here's the article: https://devcentral.f5.com/s/articles/meltdown-and-spectre-web-application-risk-management-29356

 

If you are concerned about these vulnerabilities on the BIG-IP hardware platform, you can reference K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754

 

Hope this helps!

 

Hi John

 

Does BIG-IP 12.1.3.3 also fix Spectre variant 2 or just Spectre variant 1 and Meltdown?

 

 

Thank you

 

ltwagnon
Legacy Employee
Legacy Employee

F5_Digger, great question! As you noted, Spectre variant 1 and Meltdown are addressed in the 12.1.3.3 update. I believe Spectre variant 2 requires an update from chip providers, so we will continue to follow this one closely and provide updates on the KB article listed above. Thanks!

 

Version history
Last update:
‎19-Mar-2018 19:05
Updated by:
Contributors