Symptom
The product Cisco IOS XE Software Releases 16.2.x includes an Intel CPU that is affected by
the vulnerability identified by the following Common Vulnerability and Exposures (CVE) ID:
CVE-2018-12127 -- Microarchitectural Load Port Data Sampling (MLPDS)
CVE-2018-12126 -- Microarchitectural Store Buffer Data Sampling (MSBDS)
CVE-2018-12130 -- Microarchitectural Fill Buffer Data Sampling (MFBDS)
CVE-2019-11091 -- Microarchitectural Uncacheable Data Sampling (MDSUM)
Cisco has reviewed this product and concluded that it is affected by this vulnerability.
Fixed software information will be updated as part of this Release Note Enclosure.
Conditions
Device enabled to allow the execution of Non-Cisco supplied code.
Workaround
Not currently available.
Further Problem Description
Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 6.5:
https://tools.cisco.com/security/center/cvssCalculator.x?version=3&vector=CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE ID CVE-2018-12127, CVE-2018-12126, CVE-2018-12130, CVE-2019-11091has been assigned to document this issue.
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the
CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the
actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
