At this point in time, NXP does not give general replies, due to analysis ongoing in several areas, and due to the fact that overall security is a system issue and therefor relying also on the used operating system etc.
I am posting the offical statement below here, but want to add a personal comment:
Especially the system aspect is for many ColdFire and Microcontroller based embedded systems the bottom line answer:
The Spectre vulnerability requires to execute code on the system, a code which tries to exploit it. If the OEM building a system, does not allow any code execution of foreign code (like on a desktop operating systems), the question if the processor is theoretically vulnerable to such attacks is void and academic only.
Note that there are reports in the press, that http services which allow the execution of Javascript in the browser are an attack scenario (relies also the timer precision etc.).
This is the first consideration to take and the reason for the second part of the statement below, it´s foremost a system question.
With this personal note, here is the statement and offer we make at this time for any further detailed answers.
NXP advises customers to write an email to the NXP Product Security Incident Response Team at psirt[@]nxp.com. It is required that you indicate the specific part and operating system that your question refers to in order to be able providing support in the best way.
For end users using NXP processors but not buying semiconductors from NXP directly or through distributors, we have to refer to the original equipment manufacturer (OEM) as any security analysis needs to be done on a system level.
