On 12/07/2022 20:34, Salvatore Bonaccorso wrote: > Hi, > > On Tue, Jul 12, 2022 at 09:27:07PM +0200, Salvatore Bonaccorso wrote: >> Hi, >> >> On Tue, Jul 12, 2022 at 04:36:10PM +0000, Xen.org security team wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / >>> XSA-407 >>> >>> Retbleed - arbitrary speculative code execution with return instructions >>> >>> ISSUE DESCRIPTION >>> ================= >>> >>> Researchers at ETH Zurich have discovered Retbleed, allowing for >>> arbitrary speculative execution in a victim context. >>> >>> For more details, see: >>> https://comsec.ethz.ch/retbleed >>> >>> ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for >>> Intel. >>> >>> Despite the similar preconditions, these are very different >>> microarchitectural behaviours between vendors. >>> >>> On AMD CPUs, Retbleed is one specific instance of a more general >>> microarchitectural behaviour called Branch Type Confusion. AMD have >>> assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type >>> Confusion). >>> >>> For more details, see: >>> https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037 >> Is it confirmed that AMD is not using CVE-2022-29900? The above >> amd-sb-1037 references as well both CVE-2022-23825 (Branch Type >> Confusion) and CVE-2022-29900 (RETbleed), so I assume they agreed to >> use CVE-2022-29900 for retbleed? >> >> So should the Xen advisory as well use CVE-2022-23825,CVE-2022-29900 >> and CVE-2022-29901? > Nevermind, I missunderstood the wording and the advisory just mentions > all the related CVEs correctly and made a thinko. It might turn out > that CVE-2022-23816 will not be used, but then the title would read > only as > > Xen Security Advisory CVE-2022-23825,CVE-2022-29900 / XSA-407 > > So please disregard the question above.
/sigh AMD changed the CVE in the bulletin between the final draft, and what went public. CVE-2022-23816 has been referenced by multiple other vendors too, so is definitely out in the world. Hopefully MITRE will close out one of CVE-2022-23816 and CVE-2022-29900 as a dup of the other. For now, I think the least confusing option is to keep both referenced. ~Andrew
