BugZero | Hewlett Packard Enterprise BugID a00053708en_us - Bulletin: HPE ProLiant, Synergy, and Moonshot Syst...

Hewlett Packard Enterprise - Defect ID: a00053708en_us

Bulletin: HPE ProLiant, Synergy, and Moonshot Systems – L1 Terminal Fault – SGX (CVE-2018-3615), L1 Terminal Fault – OS, SMM (CVE-2018-3620), L1 Terminal Fault – VMM (CVE-2018-3646) Security Vulnerabilities

Hewlett Packard Enterprise - Defect ID: a00053708en_us

Bulletin: HPE ProLiant, Synergy, and Moonshot Systems – L1 Terminal Fault – SGX (CVE-2018-3615), L1 Terminal Fault – OS, SMM (CVE-2018-3620), L1 Terminal Fault – VMM (CVE-2018-3646) Security Vulnerabilities

Last updated on 1/4/2025

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

Priority: Customer Bulletin

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

Priority: Customer Bulletin

Info

On August 14, 2018, Intel disclosed new vulnerabilities that impact processors which are supported on HPE ProLiant, Synergy, and Moonshot servers. These vulnerabilities, when exploited for malicious purposes, have the potential to allow the improper gathering of sensitive data. These vulnerabilities use a speculative execution side-channel method which Intel is referring to as L1 Terminal Fault (L1TF). At the time of disclosure, Intel was not aware of any reports that L1TF has been used in real-world exploits. Intel had released updated microcodes earlier in 2018, and which HPE subsequently has already made available via System ROM updates. These updated microcodes, when coupled with new operating system and/or hypervisor software updates which are now being made available, provide mitigation for these vulnerabilities. Intel has communicated that there is a portion of the market, principally a subset of those running traditional virtualization technology in data centers, where it may be advisable to take additional steps to protect systems. This may include enabling specific hypervisor core scheduling features or choosing to disable hyper-threading in specific scenarios. Consult recommendations of OS and Hypervisor vendors. The table below includes information on these vulnerabilities: Vulnerability CVE Number CVE Grade Mitigations Required L1 Terminal Fault - SGX CVE-2018-3615 7.9 - High Microcode L1 Terminal Fault - OS, SMM CVE-2018-3620 7.1 - High Microcode, OS Software L1 Terminal Fault - VMM >CVE-2018-3646 7.1 - High Microcode, OS Software, VMM Software An attack which exploits these vulnerabilities requires malicious code to run on the system. Therefore, practicing good security hygiene, including always keeping your software and firmware current, can reduce exposure to this vulnerability. Following security best practices and deploying HPE Gen10 Servers with secure Silicon Root of Trust technology can help protect businesses from malicious attacks. Additional information on these vulnerabilities are available from Intel in the following Security Advisory: Intel Security Advisory INTEL-SA-00161 IMPORTANT: New OS and Hypervisor updates are required to mitigate these vulnerabilities. The OS and Hypervisor Updates required for mitigation of previous side-channel analysis vulnerabilities (Spectre, Meltdown, Variant 3A, and Variant 4), do not mitigate the L1 Terminal Fault vulnerabilities. All Operating System Links: Red Hat: https://access.redhat.com/security/vulnerabilities/L1TF Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180018 VMware: https://www.vmware.com/security/advisories/VMSA-2018-0020.html

Scope

The following table provides the HPE ProLiant, Synergy, and Moonshot servers which support processors impacted by these vulnerabilities. HPE has already made available updated System ROMs including the necessary microcode required to support mitigation of these issues. NOTE: These vulnerabilities do NOT impact systems using AMD processors. NOTE: L1 Terminal Fault – SGX only impacts systems that support Intel’s SGX functionality. Only the ProLiant m710x Server Cartridge supports SGX. All other systems listed are NOT vulnerable to L1 Terminal Fault – SGX. NOTE: Intel has informed HPE that Itanium and Intel Phi 7200-series processors are NOT impacted by these vulnerabilities. Impacted Server HPE Apollo 4200 Gen9 ProLiant BL280c G6 ProLiant BL2x220c G6 ProLiant BL2x220c G7 ProLiant BL420c Gen8 ProLiant BL460c G6 ProLiant BL460c G7 ProLiant BL460c Gen10 ProLiant BL460c Gen8 ProLiant BL460c Gen9 ProLiant BL490c G6 ProLiant BL490c G7 ProLiant BL620c G7 ProLiant BL660c Gen8 ProLiant BL660c Gen9 ProLiant BL680 G7 ProLiant DL120 G7 ProLiant DL120 Gen10 ProLiant DL120 Gen9 ProLiant DL160 Gen10 ProLiant DL160 Gen8 ProLiant DL160 Gen9 ProLiant DL180 Gen10 ProLiant DL180 Gen9 ProLiant DL20 Gen9 ProLiant DL320 G6 ProLiant DL320e Gen8 ProLiant DL320e Gen8 v2 ProLiant DL360 G6 ProLiant DL360 G7 ProLiant DL360 Gen10 ProLiant DL360 Gen9 ProLiant DL360e Gen8 ProLiant DL360p Gen8 ProLiant DL370 G6 ProLiant DL380 G6 ProLiant DL380 G7 ProLiant DL380 G7 SE ProLiant DL380 Gen10 ProLiant DL380 Gen9 ProLiant DL380e Gen8 ProLiant DL380p Gen8 ProLiant DL560 Gen10 ProLiant DL560 Gen8 ProLiant DL560 Gen9 ProLiant DL580 G7 ProLiant DL580 Gen10 ProLiant DL580 Gen8 ProLiant DL580 Gen9 ProLiant DL60 Gen9 ProLiant DL80 Gen9 ProLiant DL980 G7 ProLiant m510 Server Cartridge ProLiant m710 Server Cartridge ProLiant m710p Server Cartridge ProLiant m710x Server Cartridge ProLiant Microserver Gen8 ProLiant ML10 ProLiant ML10 v2 ProLiant ML110 G7 ProLiant ML110 Gen10 ProLiant ML110 Gen9 ProLiant ML150 Gen9 ProLiant ML30 Gen9 ProLiant ML310e Gen8 ProLiant ML310e Gen8 v2 ProLiant ML330 G6 ProLiant ML350 G6 ProLiant ML350 Gen10 ProLiant ML350 Gen9 ProLiant ML350e Gen8 ProLiant ML350e Gen8 v2 ProLiant ML350p Gen8 ProLiant ML370 G6 ProLiant SL210t Gen8 ProLiant SL230s Gen8 ProLiant SL250s Gen8 ProLiant SL270s Gen8 ProLiant SL2x170z G6 ProLiant SL390s G7 ProLiant SL4540 Gen8 ProLiant Thin Micro TM200 ProLiant WS460c Gen9 ProLiant XL170d Gen10 ProLiant XL170r Gen10 ProLiant XL170r Gen9 ProLiant XL190r Gen10 ProLiant XL190r Gen9 ProLiant XL220a Gen8 v2 ProLiant XL230a Gen9 ProLiant XL230k Gen10 ProLiant XL250a Gen9 ProLiant XL270d Accelerator Tray ProLiant XL450 Gen10 ProLiant XL450 Gen9 ProLiant XL730f Gen9 ProLiant XL740f Gen9 ProLiant XL750f Gen9 Synergy 660 Gen10 Synergy Composer Synergy SY480 Gen10 Synergy SY480 Gen9 Synergy SY620 Gen9 Synergy SY660 Gen9 Synergy SY680 Gen9

Resolution

HPE recommends installing mitigations to these security vulnerabilities for impacted products. This includes updating to the revision of the System ROM that includes the Intel microcode that supports mitigation of these vulnerabilities as well as updating the OS and/or Hypervisor with a revision that supports mitigation. Updated System ROMs including the Intel microcode that supports mitigation of these vulnerabilities are already available for all HPE ProLiant, Synergy, and Moonshot platforms impacted by these vulnerabilities. See the following table for the minimum revision of the System ROM which supports mitigation of these vulnerabilities. ROM Family Server(s) System ROM Revision Supporting Mitigation U30 ProLiant DL380 Gen10 v1.42 (06/20/2018) U31 ProLiant DL160 Gen10, ProLiant DL180 Gen10 v1.42 (06/20/2018) U32 ProLiant DL360 Gen10 v1.42 (06/20/2018) U33 ProLiant ML110 Gen10 v1.42 (06/20/2018) U34 ProLiant DL560 Gen10, ProLiant DL580 Gen10 v1.42 (06/20/2018) U36 ProLiant DL120 Gen10 v1.42 (06/20/2018) U37 ProLiant XL230k Gen10 v1.42 (06/20/2018) U38 ProLiant XL170r Gen10, ProLiant XL190r Gen10 v1.42 (06/20/2018) U40 ProLiant XL450 Gen10 v1.42 (06/20/2018) U45 ProLiant XL270d Gen10 V1.42 (06/20/2018) U41 ProLiant ML350 Gen10 v1.42 (06/20/2018) I41 ProLiant BL460c Gen10 v1.42 (06/20/2018) I42 HPE Synergy SY480 Gen10 v1.42 (06/20/2018) I43 HPE Synergy 660 Gen10 v1.42 (06/20/2018) U13 ProLiant XL230a Gen9, ProLiant XL250a Gen9 v2.60 (5/21/2018) U14 ProLiant XL170r Gen9, ProLiant XL190r Gen9 v2.60 (5/21/2018) U15 ProLiant DL60 Gen9, ProLiant DL80 Gen9 v2.60 (5/21/2018) U18 ProLiant XL730f Gen9, ProLiant XL740f Gen9, ProLiant XL750f Gen9 v2.60 (5/21/2018) U19 HPE Apollo 4200 Gen9 v2.60 (5/21/2018) U20 ProLiant DL160 Gen9, ProLiant DL180 Gen9 v2.60 (5/21/2018) U21 ProLiant XL450 Gen9 v2.60 (5/21/2018) U25 ProLiant XL270d Accelerator Tray v2.60 (5/21/2018) P85 ProLiant DL560 Gen9 v2.60 (5/21/2018) P86 ProLiant DL120 Gen9 v2.60 (5/21/2018) P89 ProLiant DL380 Gen9, ProLiant DL360 Gen9 v2.60 (5/21/2018) P92 ProLiant ML350 Gen9 v2.60 (5/21/2018) P95 ProLiant ML150 Gen9 v2.60 (5/21/2018) P99 ProLiant ML110 Gen9 v2.60 (5/21/2018) I36 ProLiant BL460c Gen9, WS460c Gen9 v2.60 (5/21/2018) I37 HPE Synergy 480 Gen9 v2.60 (5/21/2018) I38 ProLiant BL660c Gen9 v2.60 (5/21/2018) I39 HPE Synergy 660 Gen9 v2.60 (5/21/2018) U17 ProLiant DL580 Gen9 v2.60 (5/23/2018) I40 HPE Synergy 620 Gen9, HPE Synergy 680 Gen9 v2.60 (5/23/2018) U26 ProLiant Thin Micro TM200 v2.60 (05/21/2018) H05 ProLiant m510 Server Cartridge v1.68 (05/21/2018) U22 ProLiant DL20 Gen9 v2.60(5/23/2018) U23 ProLiant ML30 Gen9 v2.60 (5/23/2018) H07 ProLiant m710x Server Cartridge v1.68 (5/10/2018) H06 ProLiant m710p Server Cartridge 5/21/2018 I30 ProLiant BL420c Gen8 5/21/2018 I31 ProLiant BL460c Gen8 5/21/2018 I32 ProLiant BL660c Gen8 5/21/2018 J02 ProLiant ML350e Gen8, ProLiant ML350e Gen8 v2 5/21/2018 J03 ProLiant DL160 Gen8 5/21/2018 P70 ProLiant DL380p Gen8 5/21/2018 P71 ProLiant DL360p Gen8 5/21/2018 P72 ProLiant ML350p Gen8 5/21/2018 P73 ProLiant DL360e Gen8, ProLiant DL380e Gen8 5/21/2018 P74 ProLiant SL4540 Gen8 5/21/2018 P75 ProLiant SL230s Gen8, ProLiant SL250s Gen8, ProLiant SL270s Gen8 5/21/2018 P77 ProLiant DL560 Gen8 5/21/2018 P83 ProLiant SL210t Gen8 5/21/2018 P79 ProLiant DL580 Gen8 v2.20 (05/21/2018) P88 ProLiant ML10 5/21/2018 J04 ProLiant ML310e Gen8 5/21/2018 J05 ProLiant DL320e Gen8 5/21/2018 J06 Microserver Gen8 5/21/2018 P78 ProLiant ML310e Gen8 v2 5/21/2018 P80 ProLiant DL320e Gen8 v2 5/21/2018 J10 ProLiant ML10 v2 5/21/2018 P94 ProLiant XL220a Gen8 v2 5/21/2018 H03 ProLiant m710 Server Cartridge 5/21/2018 J08 HPE Synergy Composer 5/21/2018 I25 ProLiant BL620c G7, BL680 G7 5/21/2018 P65 ProLiant DL580 G7 5/21/2018 P66 ProLiant DL980 G7 5/21/2018 I27 ProLiant BL460c G7 5/21/2018 I28 ProLiant BL490c G7 5/21/2018 I29 ProLiant BL2x220c G7 5/21/2018 P67 ProLiant DL380 G7 5/21/2018 P68 ProLiant DL360 G7 5/21/2018 P69 ProLiant SL390s G7 5/21/2018 V67 ProLiant DL380 G7 SE 5/21/2018 J01 ProLiant ML110 G7, DL120 G7 5/21/2018 D22 ProLiant ML350 G6 5/21/2018 I21 ProLiant BL490c G6 5/21/2018 I22 ProLiant BL280c G6 5/21/2018 I24 ProLiant BL460c G6 5/21/2018 I26 ProLiant BL2x220c G6 5/21/2018 P62 ProLiant DL380 G6 5/21/2018 P63 ProLiant ML370 G6, ProLiant DL370 G6 5/21/2018 P64 ProLiant DL360 G6 5/21/2018 W07 ProLiant ML330 G6, ProLiant DL320 G6 5/21/2018 The System ROMs are available as follows: Click the following link: https://support.hpe.com/hpesc/public/home Enter a product name (e.g., "DL380 Gen9") in the text search field and wait for a list of products to populate. From the products displayed, identify the desired product and click on the Drivers & software icon to the right of the product. From the Drivers & software dropdown menus on the left side of the page: Under Software Type, select "BIOS-(Entitlement Required") For further filtering if needed - Select the specific Operating System from the Operating Environment. Select the appropriate version of the System ROM. Click Download. NOTE: The following ProLiant servers do not use an HPE BIOS and will NOT have an updated System ROM including the microcode required for mitigation of these vulnerabilities: ProLiant DL160 G6 ProLiant SL160z G6 ProLiant SL160s G6 ProLiant SL170s G6 ProLiant SL2x170z G6

Original Vendor Announcement

Defect ID: a00138717en_us
Advisory: (Revision) HPE Compute Scale-up Server 3200 - System May Encounter an HWERR_BIOS_HALT_DETECTED Condition During the OS Crashdump Process
Defect ID: a00142136en_us
Advisory: (Revision) HPE ProLiant DL20/ML30 Gen10 Plus Servers - Systems Configured with Intel I350-T4 or Broadcom BCM5719 Adapters May Stop Responding During a Reboot or Shutdown if All Four NIC Ports Are Disabled
Defect ID: a00119124en_us
Notice: (Revision) HPE B-series Switches - Accessing HPE B-series SANnav, Fabric OS, and TruFOS Certificates
Defect ID: a00118860en_us
Advisory: HPE InfoSight for Servers - Manually Uploaded Active Health System (AHS) Log to the Analyze Log Page Is Not Displayed After a Successful Upload to the InfoSight Portal
Defect ID: a00146525en_us
Advisory: HPE OneView - OneView May Display the Error, "Unable to Create Volume Template Error Regarding Read-Only Attribute"

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Hewlett Packard Enterprise - Defect ID: a00053708en_us

Bulletin: HPE ProLiant, Synergy, and Moonshot Systems – L1 Terminal Fault – SGX (CVE-2018-3615), L1 Terminal Fault – OS, SMM (CVE-2018-3620), L1 Terminal Fault – VMM (CVE-2018-3646) Security Vulnerabilities

Hewlett Packard Enterprise - Defect ID: a00053708en_us

Bulletin: HPE ProLiant, Synergy, and Moonshot Systems – L1 Terminal Fault – SGX (CVE-2018-3615), L1 Terminal Fault – OS, SMM (CVE-2018-3620), L1 Terminal Fault – VMM (CVE-2018-3646) Security Vulnerabilities

Last updated on 1/4/2025

Vendor details

Vendor details

Description

Info

Scope

Resolution

Links

Top Hewlett Packard Enterprise defects by risk score

Ready to prevent the next vendor outage?