CVE-2022-23960

First published: Tue Mar 08 2022(Updated: )

Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/kernel	<0:4.18.0-425.3.1.el8	0:4.18.0-425.3.1.el8
Xen Xen
Arm Cortex-a57
Arm Cortex-a65
Google Android
Google Android
Arm Cortex-a72
Arm Cortex-a73
Arm Cortex-a75
Arm Cortex-a76
Google Android
Arm Cortex-a77
Arm Cortex-a78
Arm Cortex-a78ae
Arm Cortex-r7
Arm Cortex-r8
Arm Cortex-x1
Google Android
Arm Neoverse-e1
Google Android
Arm Neoverse N1
Arm Neoverse N2
Arm Cortex-r7 Firmware
Arm Cortex-r8 Firmware
Arm Cortex-a57 Firmware
Google Android
Arm Cortex-a65ae Firmware
Arm Cortex-a710 Firmware
Arm Cortex-a72 Firmware
Arm Cortex-a73 Firmware
Arm Cortex-a75 Firmware
Arm Cortex-a76 Firmware
Google Android
Arm Cortex-a77 Firmware
Arm Cortex-a78 Firmware
Arm Cortex-a78ae Firmware
Arm Cortex-x1 Firmware
Google Android
Google Android
Google Android
Arm Neoverse N1 Firmware
Arm Neoverse N2 Firmware
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0
All of
Xen Xen
Any of
Arm Cortex-a57
Arm Cortex-a65
Google Android
Google Android
Arm Cortex-a72
Arm Cortex-a73
Arm Cortex-a75
Arm Cortex-a76
Google Android
Arm Cortex-a77
Arm Cortex-a78
Arm Cortex-a78ae
Arm Cortex-r7
Arm Cortex-r8
Arm Cortex-x1
Google Android
Arm Neoverse-e1
Google Android
Arm Neoverse N1
Arm Neoverse N2
All of
Arm Cortex-r7 Firmware
Arm Cortex-r7
All of
Arm Cortex-r8 Firmware
Arm Cortex-r8
All of
Arm Cortex-a57 Firmware
Arm Cortex-a57
All of
Google Android
Arm Cortex-a65
All of
Arm Cortex-a65ae Firmware
Google Android
All of
Arm Cortex-a710 Firmware
Google Android
All of
Arm Cortex-a72 Firmware
Arm Cortex-a72
All of
Arm Cortex-a73 Firmware
Arm Cortex-a73
All of
Arm Cortex-a75 Firmware
Arm Cortex-a75
All of
Arm Cortex-a76 Firmware
Arm Cortex-a76
All of
Google Android
Google Android
All of
Arm Cortex-a77 Firmware
Arm Cortex-a77
All of
Arm Cortex-a78 Firmware
Arm Cortex-a78
All of
Arm Cortex-a78ae Firmware
Arm Cortex-a78ae
All of
Arm Cortex-x1 Firmware
Arm Cortex-x1
All of
Google Android
Google Android
All of
Google Android
Arm Neoverse-e1
All of
Google Android
Google Android
All of
Arm Neoverse N1 Firmware
Arm Neoverse N1
All of
Arm Neoverse N2 Firmware
Arm Neoverse N2
Google Android
ubuntu/linux	<4.15.0-184.194	4.15.0-184.194
ubuntu/linux	<5.4.0-117.132	5.4.0-117.132
ubuntu/linux	<5.13.0-35.40	5.13.0-35.40
ubuntu/linux	<5.17~	5.17~
ubuntu/linux-aws	<4.15.0-1133.143	4.15.0-1133.143
ubuntu/linux-aws	<5.4.0-1078.84	5.4.0-1078.84
ubuntu/linux-aws	<5.13.0-1017.19	5.13.0-1017.19
ubuntu/linux-aws	<5.17~	5.17~
ubuntu/linux-aws-5.0	<5.17~	5.17~
ubuntu/linux-aws-5.11	<5.17~	5.17~
ubuntu/linux-aws-5.13	<5.13.0-1017.19~20.04.1	5.13.0-1017.19~20.04.1
ubuntu/linux-aws-5.13	<5.17~	5.17~
ubuntu/linux-aws-5.15	<5.17~	5.17~
ubuntu/linux-aws-5.3	<5.17~	5.17~
ubuntu/linux-aws-5.4	<5.4.0-1078.84~18.04.1	5.4.0-1078.84~18.04.1
ubuntu/linux-aws-5.4	<5.17~	5.17~
ubuntu/linux-aws-5.8	<5.17~	5.17~
ubuntu/linux-aws-hwe	<5.17~	5.17~
ubuntu/linux-aws-hwe	<4.15.0-1133.143~16.04.1	4.15.0-1133.143~16.04.1
ubuntu/linux-azure	<5.4.0-1083.87	5.4.0-1083.87
ubuntu/linux-azure	<5.13.0-1017.19	5.13.0-1017.19
ubuntu/linux-azure	<4.15.0-1142.156~14.04.1	4.15.0-1142.156~14.04.1
ubuntu/linux-azure	<5.17~	5.17~
ubuntu/linux-azure	<4.15.0-1142.156~16.04.1	4.15.0-1142.156~16.04.1
ubuntu/linux-azure-4.15	<4.15.0-1142.156	4.15.0-1142.156
ubuntu/linux-azure-4.15	<5.17~	5.17~
ubuntu/linux-azure-5.11	<5.17~	5.17~
ubuntu/linux-azure-5.13	<5.13.0-1017.19~20.04.1	5.13.0-1017.19~20.04.1
ubuntu/linux-azure-5.13	<5.17~	5.17~
ubuntu/linux-azure-5.15	<5.17~	5.17~
ubuntu/linux-azure-5.3	<5.17~	5.17~
ubuntu/linux-azure-5.4	<5.4.0-1083.87~18.04.1	5.4.0-1083.87~18.04.1
ubuntu/linux-azure-5.4	<5.17~	5.17~
ubuntu/linux-azure-edge	<5.17~	5.17~
ubuntu/linux-azure-fde	<5.4.0-1083.87	5.4.0-1083.87
ubuntu/linux-azure-fde	<5.15.0-1002.3	5.15.0-1002.3
ubuntu/linux-azure-fde	<5.17~	5.17~
ubuntu/linux-azure-fde-5.15	<5.17~	5.17~
ubuntu/linux-bluefield	<5.4.0-1040.44	5.4.0-1040.44
ubuntu/linux-bluefield	<5.17~	5.17~
ubuntu/linux-dell300x	<4.15.0-1047.52	4.15.0-1047.52
ubuntu/linux-dell300x	<5.17~	5.17~
ubuntu/linux-fips	<5.17~	5.17~
ubuntu/linux-gcp-5.15	<5.17~	5.17~
ubuntu/linux-gke-5.15	<5.17~	5.17~
ubuntu/linux-hwe	<5.17~	5.17~
ubuntu/linux-hwe	<4.15.0-184.194~16.04.1	4.15.0-184.194~16.04.1
ubuntu/linux-hwe-5.11	<5.17~	5.17~
ubuntu/linux-hwe-5.13	<5.13.0-35.40~20.04.1	5.13.0-35.40~20.04.1
ubuntu/linux-hwe-5.13	<5.17~	5.17~
ubuntu/linux-hwe-5.15	<5.17~	5.17~
ubuntu/linux-hwe-5.4	<5.4.0-117.132~18.04.1	5.4.0-117.132~18.04.1
ubuntu/linux-hwe-5.4	<5.17~	5.17~
ubuntu/linux-hwe-5.8	<5.17~	5.17~
ubuntu/linux-hwe-edge	<5.17~	5.17~
ubuntu/linux-ibm	<5.4.0-1026.29	5.4.0-1026.29
ubuntu/linux-ibm	<5.17~	5.17~
ubuntu/linux-ibm-5.4	<5.4.0-1028.32~18.04.1	5.4.0-1028.32~18.04.1
ubuntu/linux-ibm-5.4	<5.17~	5.17~
ubuntu/linux-intel-5.13	<5.13.0-1010.10	5.13.0-1010.10
ubuntu/linux-intel-5.13	<5.17~	5.17~
ubuntu/linux-intel-iotg	<5.17~	5.17~
ubuntu/linux-intel-iotg-5.15	<5.15.0-1008.11~20.04.1	5.15.0-1008.11~20.04.1
ubuntu/linux-intel-iotg-5.15	<5.17~	5.17~
ubuntu/linux-kvm	<4.15.0-1119.123	4.15.0-1119.123
ubuntu/linux-kvm	<5.4.0-1068.72	5.4.0-1068.72
ubuntu/linux-kvm	<5.13.0-1016.17	5.13.0-1016.17
ubuntu/linux-kvm	<5.17~	5.17~
ubuntu/linux-lowlatency	<5.17~	5.17~
ubuntu/linux-lowlatency-hwe-5.15	<5.17~	5.17~
ubuntu/linux-lts-xenial	<5.17~	5.17~
ubuntu/linux-oem	<5.17~	5.17~
ubuntu/linux-oem-5.10	<5.17~	5.17~
ubuntu/linux-oem-5.13	<5.17~	5.17~
ubuntu/linux-oem-5.14	<5.14.0-1033.36	5.14.0-1033.36
ubuntu/linux-oem-5.17	<5.17~	5.17~
ubuntu/linux-oem-5.6	<5.17~	5.17~
ubuntu/linux-oem-6.0	<5.17~	5.17~
ubuntu/linux-oem-6.1	<5.17~	5.17~
ubuntu/linux-oem-osp1	<5.17~	5.17~
ubuntu/linux-oracle	<4.15.0-1098.108	4.15.0-1098.108
ubuntu/linux-oracle	<5.4.0-1076.83	5.4.0-1076.83
ubuntu/linux-oracle	<5.13.0-1021.26	5.13.0-1021.26
ubuntu/linux-oracle	<5.17~	5.17~
ubuntu/linux-oracle	<4.15.0-1098.108~16.04.1	4.15.0-1098.108~16.04.1
ubuntu/linux-oracle-5.0	<5.17~	5.17~
ubuntu/linux-oracle-5.11	<5.17~	5.17~
ubuntu/linux-oracle-5.13	<5.13.0-1021.26~20.04.1	5.13.0-1021.26~20.04.1
ubuntu/linux-oracle-5.13	<5.17~	5.17~
ubuntu/linux-oracle-5.15	<5.17~	5.17~
ubuntu/linux-oracle-5.3	<5.17~	5.17~
ubuntu/linux-oracle-5.4	<5.4.0-1076.83~18.04.1	5.4.0-1076.83~18.04.1
ubuntu/linux-raspi	<5.4.0-1065.75	5.4.0-1065.75
ubuntu/linux-raspi	<5.13.0-1020.22	5.13.0-1020.22
ubuntu/linux-raspi	<5.17~	5.17~
ubuntu/linux-raspi-5.4	<5.4.0-1065.75~18.04.1	5.4.0-1065.75~18.04.1
ubuntu/linux-raspi-5.4	<5.17~	5.17~
ubuntu/linux-raspi2	<4.15.0-1114.122	4.15.0-1114.122
ubuntu/linux-raspi2	<5.17~	5.17~
ubuntu/linux-raspi2-5.3	<5.17~	5.17~
ubuntu/linux-riscv	<5.17~	5.17~
ubuntu/linux-riscv-5.11	<5.17~	5.17~
ubuntu/linux-riscv-5.8	<5.17~	5.17~
ubuntu/linux-snapdragon	<4.15.0-1132.142	4.15.0-1132.142
ubuntu/linux-snapdragon	<5.17~	5.17~
debian/linux		4.19.249-2 4.19.304-1 5.10.209-2 5.10.205-2 6.1.76-1 6.1.85-1 6.6.15-2 6.7.12-1

Remedy

http://www.openwall.com/lists/oss-security/2022/03/18/2

Remedy

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Remedy

Disabling unprivileged eBPF effectively mitigates the known attack vectors for exploiting intra-mode branch injections attacks. The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. For the Red Hat Enterprise Linux 7, the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command: # cat /proc/sys/kernel/unprivileged_bpf_disabled The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.

Remedy

To mitigate the primary known attack vector, disable unprivileged eBPF: $ sudo sysctl kernel.unprivileged_bpf_disabled=1 or $ sudo sysctl kernel.unprivileged_bpf_disabled=2

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

collector/redhat-cve
collector/nvd-index
agent/type
collector/launchpad-cve
source/Launchpad
agent/author
agent/first-publish-date
agent/remedy
agent/severity
agent/description
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
agent/event
agent/last-modified-date
agent/references
agent/softwarecombine
agent/tags
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-23960
collector/android-source
source/Android
collector/usn-cve
source/Ubuntu
collector/security-tracker-debian
source/Debian
package-manager/redhat
vendor/xen
canonical/xen xen
vendor/arm
canonical/arm cortex-a57
canonical/arm cortex-a65
canonical/google android
canonical/arm cortex-a72
canonical/arm cortex-a73
canonical/arm cortex-a75
canonical/arm cortex-a76
canonical/arm cortex-a77
canonical/arm cortex-a78
canonical/arm cortex-a78ae
canonical/arm cortex-r7
canonical/arm cortex-r8
canonical/arm cortex-x1
canonical/arm neoverse-e1
canonical/arm neoverse n1
canonical/arm neoverse n2
canonical/arm cortex-r7 firmware
canonical/arm cortex-r8 firmware
canonical/arm cortex-a57 firmware
canonical/arm cortex-a65ae firmware
canonical/arm cortex-a710 firmware
canonical/arm cortex-a72 firmware
canonical/arm cortex-a73 firmware
canonical/arm cortex-a75 firmware
canonical/arm cortex-a76 firmware
canonical/arm cortex-a77 firmware
canonical/arm cortex-a78 firmware
canonical/arm cortex-a78ae firmware
canonical/arm cortex-x1 firmware
canonical/arm neoverse n1 firmware
canonical/arm neoverse n2 firmware
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0
version/debian debian linux/10.0
vendor/google
package-manager/ubuntu
package-manager/debian

CVE-2022-23960

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact