On January 2, 2018, the Google security team announced the “Meltdown" (CVE-2017-5754) and “Spectre”(CVE-2017-5715/CVE-2017-5753) A-level vulnerabilities on Intel CPU chips.
In some circumstances, a local attacker could exploit these vulnerabilities to read memory information belonging to other OS kernel or other processes.
Meltdown vulnerability destroys the basic isolation between the user program and the operating system, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
Spectre vulnerability undermines the security isolation between different applications, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
After receiving the notification of security vulnerability on the night of January 3, 2018, ZTE drew back key staffs from projects such as CGSL, VPlat and CGEL and immediately set up an emergency response team to start analyzing, actively communicating with relevant CPUs and operating system vendors. Combined with the security architecture of NFV/Non-NFV Network for the Meltdown/Spectre vulnerability threat analysis, ZTE determined the risk level, communicated with related CPU and OS suppliers, closely tracked the treatment scheme of the upstream suppliers, and finished the system test, confirming the impact of patches for systems Services.