[Bug 1977701] Re: Update to latest upstream release 20220510 / IPU 2022.1 to fix multiple security vulnerabilities
Alex Murray
1977701 at bugs.launchpad.net
Wed Jun 15 01:19:23 UTC 2022
I have tested these via testflinger and verified that the various
machines which I have access to in the Canonical hardware certification
lab boot correctly with the updates installed.
** Description changed:
- Intel released version 20220510 / IPU 2022.1 earlier in May to address
- multiple vulnerabilities, including:
+ [Impact]
+
+ * Users are vulnerable to multiple security issues, including MMIO
+ stale data
+ (https://www.intel.com/content/www/us/en/developer/articles/technical/software-
+ security-guidance/advisory-guidance/processor-mmio-stale-data-
+ vulnerabilities.html) (https://www.intel.com/content/www/us/en/security-
+ center/advisory/intel-sa-00615.html)
+
+ * Normally the security team would release updates direct to the
+ -security pocket but since the associated kernels are being published
+ via -updates *and* to allow phased updates to be used, it is preferred
+ to publish these via -updates first, then they can be synced to
+ -security once fully phased.
+
+ [Test Plan]
+
+ * install the updated intel-microcode packages and reboot the system
+
+ [Where problems could occur]
+
+ * Historically there have been issues where intel-microcode updates
+ resulted in machines that fail to boot. This has usually been the case
+ when a machine is using an old BIOS and the microcode which is loaded in
+ early boot is much newer. Intel have increased their own internal
+ testing to try and ensure this is detected before releasing to
+ production.
+
+ Also these updates have now been in -proposed for over a week without
+ any mention of issues *plus* they have been tested extensively via
+ testflinger on the Canonical certification lab's suite of machines too.
+
+ Finally, in this unlikely case, users can boot via the '(recovery mode)'
+ menu entries in grub which disables early microcode loading from the
+ initrd to workaround this and then rollback the microcode update
+ directly.
+
+ [Other Info]
+
+ Intel released version 20220510 / IPU 2022.1 earlier in May to address multiple vulnerabilities, including:
- CVE-2022-21151, INTEL-SA-00617
- CVE-2021-0146, INTEL-SA-00528
- CVE-2021-0127, INTEL-SA-00532
This version is already packaged in Ubuntu 22.10 (kinetic).
- Whilst this is a security update, to allow for increased testing before
- being more widely deployed the Ubuntu Security team are wishing to
- publish this first via -proposed and then to -security at which point it
- will also then be published to -updates as per the usual
- security->updates sync.
+ Earlier today Intel disclosed another set of vulnerabilities (MMIO stale
+ data) which are also fixed by these updates.
+
+
+ Whilst this is a security update, to allow for increased testing before being more widely deployed the Ubuntu Security team are wishing to publish this first via -proposed and then to -updates so they can be phased along with the associated kernel updates for MMIO stale data as well.
** Tags removed: block-proposed-bionic block-proposed-focal block-
proposed-impish block-proposed-jammy
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to intel-microcode in Ubuntu.
https://bugs.launchpad.net/bugs/1977701
Title:
Update to latest upstream release 20220510 / IPU 2022.1 to fix
multiple security vulnerabilities
Status in intel-microcode package in Ubuntu:
New
Status in intel-microcode source package in Bionic:
Fix Committed
Status in intel-microcode source package in Focal:
Fix Committed
Status in intel-microcode source package in Impish:
Fix Committed
Status in intel-microcode source package in Jammy:
Fix Committed
Bug description:
[Impact]
* Users are vulnerable to multiple security issues, including MMIO
stale data
(https://www.intel.com/content/www/us/en/developer/articles/technical/software-
security-guidance/advisory-guidance/processor-mmio-stale-data-
vulnerabilities.html)
(https://www.intel.com/content/www/us/en/security-
center/advisory/intel-sa-00615.html)
* Normally the security team would release updates direct to the
-security pocket but since the associated kernels are being published
via -updates *and* to allow phased updates to be used, it is preferred
to publish these via -updates first, then they can be synced to
-security once fully phased.
[Test Plan]
* install the updated intel-microcode packages and reboot the system
[Where problems could occur]
* Historically there have been issues where intel-microcode updates
resulted in machines that fail to boot. This has usually been the case
when a machine is using an old BIOS and the microcode which is loaded
in early boot is much newer. Intel have increased their own internal
testing to try and ensure this is detected before releasing to
production.
Also these updates have now been in -proposed for over a week without
any mention of issues *plus* they have been tested extensively via
testflinger on the Canonical certification lab's suite of machines
too.
Finally, in this unlikely case, users can boot via the '(recovery
mode)' menu entries in grub which disables early microcode loading
from the initrd to workaround this and then rollback the microcode
update directly.
[Other Info]
Intel released version 20220510 / IPU 2022.1 earlier in May to address multiple vulnerabilities, including:
- CVE-2022-21151, INTEL-SA-00617
- CVE-2021-0146, INTEL-SA-00528
- CVE-2021-0127, INTEL-SA-00532
This version is already packaged in Ubuntu 22.10 (kinetic).
Earlier today Intel disclosed another set of vulnerabilities (MMIO
stale data) which are also fixed by these updates.
Whilst this is a security update, to allow for increased testing before being more widely deployed the Ubuntu Security team are wishing to publish this first via -proposed and then to -updates so they can be phased along with the associated kernel updates for MMIO stale data as well.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1977701/+subscriptions
More information about the foundations-bugs
mailing list