Meltdown and Spectre
The Meltdown (meltdownattack.com) and Spectre (spectreattack.com) vulnerabilities have been known to Intel, AMD, and the various OEMs and OS teams for about 6 months as of this writing in January 2018. Nevertheless, the rollout of necessary firmware updates has been problematic, with Intel recently advising OEMs to postpone the upgrades due to reported problems on patched systems with the available firmware thus far. Consequently, the manufacturer of ThinkPads, Lenovo, like many other OEMs, has not released firmware upgrades to patch against the Intel-specific vulnerability named Meltdown. A second vulnerability, Spectre, affects not just Intel CPUs but those from other architectures as well.
For ongoing developments, Lenovo provides a page at https://support.lenovo.com/us/en/solutions/len-18282