IBM has outlined a month-long plan to fix datacenter equipment running on its Power CPUs, which the company has now confirmed are vulnerable to the Meltdown and Spectre CPU attacks.
The company today released firmware updates for the Power7+ and Power8 CPUs, with Power9 fixes coming on January 15.
Until now, IBM hadn’t fully confirmed its Power systems are affected by the two CPU attacks, though RedHat said in its January 3 advisory that exploits existed for IBM System Z, Power8, and Power9 systems.
IBM subsequently said it would release patches for its “potentially impacted” Power processors and noted that its storage appliances are not vulnerable. It didn’t confirm that its System Z mainframe systems are vulnerable but did suggest customers check the System Z portal.
“This vulnerability doesn’t allow an external unauthorized party to gain access to a machine, but it could allow a party that has access to the system to access unauthorized data,” IBM said in the new update on its product security incident response team blog.
However, the firmware updates being released today and later this month only partially address Meltdown and Spectre attacks on IBM Power Systems. As with Microsoft’s combined Windows and firmware updates for its Surface devices, IBM’s Power Systems hardware need both patches to fully protect systems.
The AIX and IBM i operating system updates are scheduled for release on February 12.
This timeline gives customers with Power Systems a little over a month to install the firmware updates, which need to be done first anyway to install the operating-system patches.
“Complete mitigation of this vulnerability for Power Systems clients involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to these vulnerabilities and is a pre-requisite for the OS patch to be effective,” says IBM.
The company plans to offer customers more information about patches for Power CPUs prior to Power7+ so long as they’re still supported.
Today’s firmware updates should also mean that customers with Power Systems running Linux distributions can now fully protect themselves.
RedHat, SUSE and Canonical have all released their updates over the past week following Google’s disclosure of the two speculative execution side-channel attacks.
Previous and related coverage
Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are “going to haunt us for years.”