This article provides instructions for mitigating Zombieload, an attack identified in the following CVEs:

• CVE-2018-12126 is a flaw that could lead to information disclosure from the processor store buffer.
• CVE-2018-12127 is an exploit of the microprocessor load operations that can provide data to an attacker about CPU registers and operations in the CPU pipeline.
• CVE-2018-12130 is the most serious of the three issues, involved the implementation of the microprocessor fill buffers, and can expose data within that buffer.
• CVE-2019-11091 is a flaw in the implementation of the "fill buffer," a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache.

 “While programs normally only see their own data, a malicious program [such as Zombieload] can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.”

The ZombieLoad attack allows malicious parties access to sensitive data and keys while a computer system performs non-crucial maintenance tasks. Any server, desktop, or laptop running on an Intel CPU made in roughly the last decade is probably vulnerable.

More specifically, Ubuntu 14.04 (Trusty Tahr) is vulnerable to the Zombieload attack: USN-3977-2: Intel Microcode update (AKA ZombieLoad Attack)

Unrelated to Zombieload, Trusty stemcell lines have been hidden since May 15th, 2019. Pivotal has released a Trusty stemcell on the latest line that addresses the CVEs. More information can be found in this Ubuntu Security Notice (USN) document.

If you are having trouble bumping to Xenial, you must begin securing your Trusty environments until you are able to upgrade to the next major stemcell line. In the meantime, Pivotal will continue to show the 3586.x Trusty line with an Ubuntu fix until June 30, 2019.

As of May 24, Pivotal has released Xenial stemcells that address the CVEs.

How do I protect my platform?

Path 1: Upgrade to Xenial Stemcell by Upgrading PCF 2.3

In 2018, Pivotal and its partners began releasing product tiles for PCF that support Ubuntu 16.04 LTS (Xenial) stemcells instead of Trusty Stemcells. Using supported stemcells is necessary to avoid exposure to security vulnerabilities.

Pivotal strongly recommends that you upgrade to PCF 2.3, it is the first line that supports Xenial. Xenial lines are published on Pivnet: 315.26, 250.48, 97.96, 170.69.

Note: PAS+OM 2.3 was released in September 2018 and will be in general support until July 2019.

Path 2: Upgrade to latest Trusty stemcell line

If you are unable to upgrade to PCF 2.3, you must take the steps necessary to secure your Trusty environments. The Trusty stemcell version that mitigates Zombieload is 3586.125 and is available on Pivotal Network.

Note: Ubuntu 14.04 LTS (Trusty) stemcells reach end-of-support in April 2019. All Trusty stemcell lines below 3586.x have been removed from network.pivotal.io.

Refer to the table below for the latest minor releases for tiles released by Pivotal that support the above stemcells.

Path 3: General Support Exception Request (EOGS)

You must obtain an active support license for PCF, End of General Support Exception Request (EOGS), for builds which are older than 3586.x. Otherwise you will only be eligible for phone support.