Are these the type of "vulnerabilities" where an attacker basically needs to already have access to your system to take advantage of them?
This article states "However, any attack would require local access to the affected system", but one of the four (CVE-2023-20579) on AMDs bulletin page states:
Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability.
That sounds pretty bad – that's not local/physical access, that's the ability to run code on a system (could be through a remote code execution exploit) with administrator privileges (privilige exploit after RCE) to be able to run kernel-mode code...
Need more digging to determine what exactly these flaws can be used for, but it sounds like it
*might* be usable for persistent infection of UEFI flash memory. That's advanced stuff you're unlike to be hit by as a normal consumer, but if my understanding that it doesn't require physical hardware access is correct, is still pretty serious.
Unfortunately AGESA firmware stuff requires motherboard vendor to release a new UEFI/BIOS per board – which is a bit funny, since CPU microcode patches can be included in Linux/Windows updates even though it's lower-level than the AGESA firmware... but I guess the motherboard-specific firmware has to be validated combined with the AMD-supplied AGESA, and gosh our systems are complicated these days – DDR training, voltage regulation, and who knows what happens with SMM code these days 🥳