| Description: | Summary:
The remote host is missing an update for the Debian 'amd64-microcode' package(s) announced via the DSA-5459-1 advisory.
Vulnerability Insight:
Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in Zen 2 CPUs may not be written to 0 correctly. This flaw allows an attacker to leak register contents across concurrent processes, hyper threads and virtualized guests.
For details please refer to [link moved to references] [link moved to references]
The initial microcode release by AMD only provides updates for second generation EPYC CPUs: Various Ryzen CPUs are also affected, but no updates are available yet. Fixes will be provided in a later update once they are released.
For more specific details and target dates please refer to the AMD advisory at [link moved to references]
For the oldstable distribution (bullseye), this problem has been fixed in version 3.20230719.1~
deb11u1. Additionally the update contains a fix for CVE-2019-9836.
For the stable distribution (bookworm), this problem has been fixed in version 3.20230719.1~
deb12u1.
We recommend that you upgrade your amd64-microcode packages.
For the detailed security status of amd64-microcode please refer to its security tracker page at: [link moved to references]
Affected Software/OS:
'amd64-microcode' package(s) on Debian 11, Debian 12.
Solution:
Please install the updated package(s).
CVSS Score:
4.6
CVSS Vector:
AV:L/AC:L/Au:S/C:C/I:N/A:N
|
