Symptom
The combination of the hardware platform and offered software features renders the product Cisco Catalyst 9300 Series Switches (IOx feature) affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2017-5715 - Branch Target Injection Side-Channel Information Disclosure Vulnerability (aka Spectre)
CVE-2017-5753 - Bounds Check Bypass Side-Channel Information Disclosure Vulnerability (aka Spectre)
CVE-2017-5754 - Rogue Data Cache Load Side-Channel Information Disclosure Vulnerability (aka Meltdown)
Conditions
Device is configured with a customer supplied Open Service Container.
Virtual-Services are not enabled by default.
Further Problem Description
Customers are advised to ensure that only trusted users have access to the management interfaces of the affected device. Customer supplied Services should be vetted to ensure no unauthorized code or access within those containers is possible.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 5.3:
https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
