Meltdown-Spectre: IBM preps firmware and OS fixes for vulnerable Power CPUs

IBM confirms its Power CPUs for datacenter kit are vulnerable to the Meltdown and Spectre CPU attacks.
Written by Liam Tung, Contributing Writer

Video: Why microprocessor systems' architecture needs to go open source

IBM has outlined a month-long plan to fix datacenter equipment running on its Power CPUs, which the company has now confirmed are vulnerable to the Meltdown and Spectre CPU attacks.

The company today released firmware updates for the Power7+ and Power8 CPUs, with Power9 fixes coming on January 15.

Until now, IBM hadn't fully confirmed its Power systems are affected by the two CPU attacks, though Red Hat said in its January 3 advisory that exploits existed for IBM System Z, Power8, and Power9 systems.

IBM subsequently said it would release patches for its "potentially impacted" Power processors and noted that its storage appliances are not vulnerable. It didn't confirm that its System Z mainframe systems are vulnerable but did suggest customers check the System Z portal.

"This vulnerability doesn't allow an external unauthorized party to gain access to a machine, but it could allow a party that has access to the system to access unauthorized data," IBM said in the new update on its product security incident response team blog.

However, the firmware updates being released today and later this month only partially address Meltdown and Spectre attacks on IBM Power Systems. As with Microsoft's combined Windows and firmware updates for its Surface devices, IBM's Power Systems hardware need both patches to fully protect systems.

The AIX and IBM i operating system updates are scheduled for release on February 12.


IBM's Power Systems hardware needs operating system and firmware patches to be fully protected.

Image: Jack Plunkett/Feature Photo Service/IBM

This timeline gives customers with Power Systems a little over a month to install the firmware updates, which need to be done first anyway to install the operating system patches.

Download now: Securing Linux policy (free PDF)

"Complete mitigation of this vulnerability for Power Systems clients involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to these vulnerabilities and is a pre-requisite for the OS patch to be effective," says IBM.

The company plans to offer customers more information about patches for Power CPUs prior to Power7+ so long as they're still supported.

Today's firmware updates should also mean that customers with Power Systems running Linux distributions can now fully protect themselves.

Red Hat, SUSE and Canonical have all released their updates over the past week following Google's disclosure of the two speculative execution side-channel attacks.

Previous and related coverage

The Linux vs Meltdown and Spectre battle continues (ZDNet)Fixing Meltdown and Spectre will take Linux -- and all other operating systems -- programmers a long, long time. Here's where the Linux developers are now.

Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus (ZDNet)Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows.

How the Meltdown and Spectre security holes fixes will affect you(ZDNet)Get ready to patch every piece of computing gear in your home and company to deal with this CPU nightmare.

How the Meltdown and Spectre chip flaws will impact cloud computing(TechRepublic)Mitigations for two critical architectural flaws in CPUs can cause performance degradation, but real-world impact is lower than synthetic benchmarks.

Massive Intel CPU flaw: Understanding the technical details of Meltdown and Spectre (TechRepublic)Two critical architectural flaws in CPUs allow user processes to read kernel memory, affecting Intel, AMD, and ARM processors. Here's what you need to know.

Editorial standards