The underlying cause for these vulnerabilities is that Virtual Machines (VMs) share a portion of the physical processor (CPU). CVE-2022-21166 - Device Register Partial Write (DRPW).CVE-2022-21127 - Special Register Buffer Data Sampling Update (SRBDS Update).CVE-2022-21125 - Shared Buffer Data Sampling (SBDS).CVE-2022-21123 - Shared Buffer Data Read (SBDR).The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. Under normal circumstances, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities. In shared resource environments (for example in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. The vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities. Intel’s advisory about the same four vulnerabilities came out the same day, which triggers the question, why did it take so long to release the updates? We can only speculate that a lot of time was spent on figuring out how to address these vulnerabilities most effectively. Microsoft issued a security advisory about these vulnerabilities on June 14, 2022. So please read on before you rush to update your system(s). And there are known performance issues related to applying the updates or disabling the Intel Hyper-Threading Technology.
Well, maybe there are good reasons, but the number of users that would have to worry about these vulnerabilities is relatively small.
The normal gut reaction would be to install out of band updates as soon as possible. Microsoft wouldn’t be releasing the updates ahead of the regular cycle without good reason, would it? Microsoft has released out of band updates for information disclosure vulnerabilities in Intel CPUs.
0 kommentar(er)
