Ubuntu
intel-microcode package

Update to latest upstream 20220809 to fix CVE-2022-21233

Bug #1984166 reported by King Li
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
intel-microcode (Ubuntu)
Fix Released
High
Alex Murray
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
High
Alex Murray

Bug Description

[Impact]

CVE-2022-21233
Stale data may be returned as the result of unauthorized reads to the legacy xAPIC MMIO region. This issue is present only in the legacy xAPIC mode and doesn’t affect the x2APIC mode. This can be used to expose sensitive information in an SGX enclave.

[Test Plan]

 * install the updated intel-microcode packages and reboot the system

[Other Info]

Intel released microcode-20220809 release (https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220809)

to address vulnerability

- CVE-2022-21233 / intel-sa-00657

See original description

CVE References

King Li (dreamrace)
information type: Private Security → Public
description: updated
Alex Murray (alexmurray)
Changed in intel-microcode (Ubuntu):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Alex Murray (alexmurray)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package intel-microcode - 3.20220809.0ubuntu1

---------------
intel-microcode (3.20220809.0ubuntu1) kinetic; urgency=medium

  * SECURITY UPDATE: New microcode datafile 20220809 (LP: #1984166)
    - Updated microcodes:
      sig 0x00050653, pf_mask 0x97, 2022-03-14, rev 0x100015e, size 34816
      sig 0x00050654, pf_mask 0xb7, 2022-03-08, rev 0x2006e05, size 44032
      sig 0x000606a6, pf_mask 0x87, 2022-04-07, rev 0xd000375, size 293888
      sig 0x000706a1, pf_mask 0x01, 2022-03-23, rev 0x003c, size 75776
      sig 0x000706a8, pf_mask 0x01, 2022-03-23, rev 0x0020, size 75776
      sig 0x000706e5, pf_mask 0x80, 2022-03-17, rev 0x00b2, size 112640
      sig 0x000806c2, pf_mask 0xc2, 2022-03-19, rev 0x0028, size 97280
      sig 0x000806d1, pf_mask 0xc2, 2022-03-28, rev 0x0040, size 102400
      sig 0x00090672, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x00090675, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000906a3, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000906a4, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000a0671, pf_mask 0x02, 2022-03-17, rev 0x0054, size 103424
      sig 0x000b06f2, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000b06f5, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
    - CVE-2022-21233, INTEL-SA-00657
  * source: update symlinks to reflect id of the latest release, 20220809

 -- Alex Murray <email address hidden> Mon, 15 Aug 2022 15:07:42 +0930

Changed in intel-microcode (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello King, or anyone else affected,

Accepted intel-microcode into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/intel-microcode/3.20220809.0ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in intel-microcode (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Changed in intel-microcode (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Chris Halse Rogers (raof) wrote :

Hello King, or anyone else affected,

Accepted intel-microcode into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/intel-microcode/3.20220809.0ubuntu0.20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in intel-microcode (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Chris Halse Rogers (raof) wrote :

Hello King, or anyone else affected,

Accepted intel-microcode into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/intel-microcode/3.20220809.0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Alex Murray (alexmurray) wrote :

These packages were tested via testflinger-cli to schedule jobs on the various machines in the Canonical Hardware Certifications Lab - each job was then configured as follows:

# enable proposed so we can install intel-microcode from there
# https://wiki.ubuntu.com/Testing/EnableProposed

cat <<EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

cat <<EOF | sudo tee /etc/apt/preferences.d/proposed-updates
# Configure apt to allow selective installs of packages from proposed
Package: *
Pin: release a=$(lsb_release -cs)-proposed
Pin-Priority: 400
EOF

sudo apt update

# then installed as:

sudo apt install intel-microcode/$(lsb_release -cs)-proposed

# and finally the machine was rebooted to test that it correctly loads the new microcode
sudo reboot

# capture details of the new microcode
sudo dmesg | grep microcode
cat /proc/cpuinfo

tags: added: verification-done verification-done-bionic verification-done-focal verification-done-jammy
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for intel-microcode has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package intel-microcode - 3.20220809.0ubuntu0.18.04.1

---------------
intel-microcode (3.20220809.0ubuntu0.18.04.1) bionic; urgency=medium

  * SECURITY UPDATE: New microcode datafile 20220809 (LP: #1984166)
    - Updated microcodes:
      sig 0x00050653, pf_mask 0x97, 2022-03-14, rev 0x100015e, size 34816
      sig 0x00050654, pf_mask 0xb7, 2022-03-08, rev 0x2006e05, size 44032
      sig 0x000606a6, pf_mask 0x87, 2022-04-07, rev 0xd000375, size 293888
      sig 0x000706a1, pf_mask 0x01, 2022-03-23, rev 0x003c, size 75776
      sig 0x000706a8, pf_mask 0x01, 2022-03-23, rev 0x0020, size 75776
      sig 0x000706e5, pf_mask 0x80, 2022-03-17, rev 0x00b2, size 112640
      sig 0x000806c2, pf_mask 0xc2, 2022-03-19, rev 0x0028, size 97280
      sig 0x000806d1, pf_mask 0xc2, 2022-03-28, rev 0x0040, size 102400
      sig 0x00090672, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x00090675, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000906a3, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000906a4, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000a0671, pf_mask 0x02, 2022-03-17, rev 0x0054, size 103424
      sig 0x000b06f2, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000b06f5, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
    - CVE-2022-21233, INTEL-SA-00657
  * source: update symlinks to reflect id of the latest release, 20220809

 -- Alex Murray <email address hidden> Mon, 15 Aug 2022 15:50:26 +0930

Changed in intel-microcode (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package intel-microcode - 3.20220809.0ubuntu0.20.04.1

---------------
intel-microcode (3.20220809.0ubuntu0.20.04.1) focal; urgency=medium

  * SECURITY UPDATE: New microcode datafile 20220809 (LP: #1984166)
    - Updated microcodes:
      sig 0x00050653, pf_mask 0x97, 2022-03-14, rev 0x100015e, size 34816
      sig 0x00050654, pf_mask 0xb7, 2022-03-08, rev 0x2006e05, size 44032
      sig 0x000606a6, pf_mask 0x87, 2022-04-07, rev 0xd000375, size 293888
      sig 0x000706a1, pf_mask 0x01, 2022-03-23, rev 0x003c, size 75776
      sig 0x000706a8, pf_mask 0x01, 2022-03-23, rev 0x0020, size 75776
      sig 0x000706e5, pf_mask 0x80, 2022-03-17, rev 0x00b2, size 112640
      sig 0x000806c2, pf_mask 0xc2, 2022-03-19, rev 0x0028, size 97280
      sig 0x000806d1, pf_mask 0xc2, 2022-03-28, rev 0x0040, size 102400
      sig 0x00090672, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x00090675, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000906a3, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000906a4, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000a0671, pf_mask 0x02, 2022-03-17, rev 0x0054, size 103424
      sig 0x000b06f2, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000b06f5, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
    - CVE-2022-21233, INTEL-SA-00657
  * source: update symlinks to reflect id of the latest release, 20220809

 -- Alex Murray <email address hidden> Mon, 15 Aug 2022 15:49:19 +0930

Changed in intel-microcode (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package intel-microcode - 3.20220809.0ubuntu0.22.04.1

---------------
intel-microcode (3.20220809.0ubuntu0.22.04.1) jammy; urgency=medium

  * SECURITY UPDATE: New microcode datafile 20220809 (LP: #1984166)
    - Updated microcodes:
      sig 0x00050653, pf_mask 0x97, 2022-03-14, rev 0x100015e, size 34816
      sig 0x00050654, pf_mask 0xb7, 2022-03-08, rev 0x2006e05, size 44032
      sig 0x000606a6, pf_mask 0x87, 2022-04-07, rev 0xd000375, size 293888
      sig 0x000706a1, pf_mask 0x01, 2022-03-23, rev 0x003c, size 75776
      sig 0x000706a8, pf_mask 0x01, 2022-03-23, rev 0x0020, size 75776
      sig 0x000706e5, pf_mask 0x80, 2022-03-17, rev 0x00b2, size 112640
      sig 0x000806c2, pf_mask 0xc2, 2022-03-19, rev 0x0028, size 97280
      sig 0x000806d1, pf_mask 0xc2, 2022-03-28, rev 0x0040, size 102400
      sig 0x00090672, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x00090675, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000906a3, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000906a4, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000a0671, pf_mask 0x02, 2022-03-17, rev 0x0054, size 103424
      sig 0x000b06f2, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000b06f5, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
    - CVE-2022-21233, INTEL-SA-00657
  * source: update symlinks to reflect id of the latest release, 20220809

 -- Alex Murray <email address hidden> Thu, 11 Aug 2022 10:10:00 +0930

Changed in intel-microcode (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

Was this supposed to also end up in -security? I ask as it isn't there.

Revision history for this message
Alex Murray (alexmurray) wrote :

Yes - the plan is to wait until it is fully phased in -updates then copy it to -security and publish the associated USN - they are currently at 70-80% phased.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.