Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Document Version Release Date Details 2 11/02/2018 Updated Resolution section with permanent fix for HPE Integrity Superdome X. 1 08/30/2018 Original Document Release. On August 14, 2018, Intel disclosed new vulnerabilities that impact processors which are supported on certain HPE platforms. These vulnerabilities, when exploited for malicious purposes, have the potential to allow the improper gathering of sensitive data. These vulnerabilities use a speculative execution side-channel method which Intel is referring to as L1 Terminal Fault (L1TF) or Foreshadow. At the time of disclosure, Intel was not aware of any reports that L1TF has been used in real-world exploits. Intel released mitigating microcode prior to disclosure. HPE has already incorporated this microcode into most firmware releases. These updated microcodes, when coupled with new operating system and/or hypervisor software updates which are now being made available, provide mitigation for these vulnerabilities. Intel has communicated that for some solutions, principally a subset of those running traditional virtualization technology in data centers, where it may be advisable to take additional steps to protect systems. This may include enabling specific hypervisor core scheduling features or choosing to disable hyper-threading in specific scenarios. Consult recommendations of OS and Hypervisor vendors. The table below includes information on these vulnerabilities: Vulnerability CVE Number CVE Grade Mitigations Required L1 Terminal Fault - OS, SMM CVE-2018-3620 6.5 - Medium Microcode, OS Software L1 Terminal Fault - VMM CVE-2018-3646 6.5 - Medium Microcode, OS Software, VMM Software An attack which exploits these vulnerabilities requires malicious code to run on the system. Therefore, practicing good security hygiene, including always keeping your software and firmware current, can reduce exposure to this vulnerability. Following security best practices and can help protect businesses from malicious attacks. Additional information on these vulnerabilities are available from Intel in the following Security Advisory: Intel Security Advisory INTEL-SA-00161 IMPORTANT: New OS and Hypervisor updates are required to help mitigate these vulnerabilities. The OS and Hypervisor Updates required for mitigation of previous side-channel analysis vulnerabilities (Spectre, Meltdown, Variant 3A, and Variant 4), do not mitigate the L1 Terminal Fault vulnerabilities. Below are the corresponding Operating System Links: Red Hat: https://access.redhat.com/security/vulnerabilities/L1TF SUSE: https://www.suse.com/support/kb/doc/?id=7023077 Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180018 VMware: https://www.vmware.com/security/advisories/VMSA-2018-0020.html
The following table provides the Mission Critical Servers which support processors impacted by these vulnerabilities. HPE has already made available updated System ROMs including the necessary microcode required to support mitigation of these issues. Impacted Server(s) HPE Superdome Flex Server HPE Integrity Superdome X HPE Integrity MC990 X Server, SGI UV 300, 300H, 300RL, 30EX HPE ProLiant DL980 Gen7 Server SGI UV 3000 SGI UV 2000 SGI UV 1000, SGI UV 100 NOTE : These vulnerabilities do NOT impact systems using Itanium processors. NOTE : An SGX variant called "L1Terminal Fault - SGX" (CVE-2018-3615) only impacts systems that support Intel's SGX functionality. The systems listed in this bulletin are NOT vulnerable to the SGX Variant.
HPE recommends installing mitigations to these security vulnerabilities for impacted products. This includes updating the firmware of the system that includes the Intel microcode that supports mitigation of these vulnerabilities as well as updating the OS and/or Hypervisor with a revision that supports mitigation. Refer to the following table for a list of firmware revisions that include updated microcode for Intel-based Superdome and SGI UV servers. Server(s) FW Version Projected Availability HPE Superdome Flex Server 2.5.246 Released HPE Integrity Superdome X 2018.10 (8.8.16) Released HPE Integrity MC990 X Server, SGI UV 300, 300H, 300RL, 30EX 2018.06 Released HPE ProLiant DL980 Gen7 Server 2018.05.21 Released SGI UV 3000 2018.06 Released SGI UV 2000 2018.07 Released SGI UV 1000, SGI UV 100 2018.07 Released As server firmware becomes available, it can be obtained as follows. NOTE : For SGI UV servers, contact your HPE support representative to obtain the firmware. Click the following link: https://support.hpe.com/hpesc/public/home Enter a product name (e.g., "Superdome Flex server") in the text search field and wait for a list of products to populate. From the products displayed, identify the desired product and click on the Drivers & software icon to the right of the product. From the Drivers & software dropdown menus on the left side of the page: Select the Software Type - (e.g. Firmware) Select the Software Sub Type - (e.g. Lights-Out Management) For further filtering if needed - Select the specific Operating System from the Operating Environment. Select the latest release of the System ROM. Note: To ensure the latest version will be downloaded, click on the Revision History tab to check if a new version of the firmware/driver is available. Click Download. NOTE: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form. NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for servers and Options, refer to the Navigation Tips document . SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips Document . To search for additional advisories related to CVE use the following search string: +Advisory +ProLiant -"Software and Drivers" +CVE