How I can fix CVE-2018-3640 [rogue system register read] aka 'Variant 3a' and CVE-2018-3639 [speculative store bypass] aka 'Variant 4'. My status for them is VULNERABLE. I have Intel CPU and using kernel 4.17
I read on a site there is a framework called 007 that fix Spectre very easy, but I can't find it on github.
At the time of this writing, you'll need the very latest CPU microcode update to mitigate against variants 3a and 4, and not all Intel CPUs have those mitigations released yet. Here is the July 2018 Intel microcode package for Linux systems.
Sometimes it takes a while until the latest microcodes are packaged for Linux. Here's a Github site that claims to have various microcode versions available, extracted by random people on the internet from new systems with the most up-to-date firmware: use at your own risk.
Microcode updates can be provided by the system firmware (= BIOS/UEFI updates) and/or by the operating system. Microcode updates are not persistent in the CPU: they need to be reloaded each time the system is rebooted. This is why embedding the microcode updates in the system firmware seems to be the "best" option: it ensures the update will always be loaded before any non-firmware code is executed.
On a modern Linux distribution with Intel hardware, you can download the microcode package, then use the iucode-tool with options -S -l to verify that a package includes an updated microcode that matches your CPU, and then with options -S -K to write the updated microcode to the appropriate location under /lib/firmware/intel-ucode. Then just update your initramfs /initrd file, and reboot.
The problem with Spectre is that a true fix for it requires changes at the level of CPU design principles. The microcode and OS patches released so far are mitigations, i.e. they don't necessarily fix the underlying problem but make it impossible (or at least extremely inefficient) to exploit.
Any "frameworks" that claim to "fix Spectre easily" sound like probable snake oil to me.
