Protecting your Compute Instance Against the L1TF Vulnerability

Intel disclosed a new set of speculative execution side-channel processor vulnerabilities affecting their processors, for more information, see Vulnerability Note VU#584653. These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received the following CVE identifiers:

  • CVE-2018-3615 which impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.

  • CVE-2018-3620 which impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.

  • CVE-2018-3646 which impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1.

See the Oracle Cloud Security Response to Intel L1TF Vulnerabilities for more information.

Patching Oracle Linux Instances

For Oracle Linux, the patches for the CVE-2018-3620 and CVE-2018-3646 vulnerabilities are addressed by the same set of patches.

Bare metal instances must have the latest microcode updates from Intel. This step is not required for VM instances.

To install the latest microcode updates, run the following command:

# sudo yum update microcode_ctl
			

The microcode RPM should be greater than or equal to microcode_ctl-2.1-29.2.0.4.el7_5.x86_64.rpm. This is the version of the microcode package that shipped for the Spectre v3a and Spectre v4 updates. No additional update is required. In addition to the microcode update, you should also patch your bare metal instances using the following set of instructions.

To patch the OS for bare metal and VM instances with downtime

The yum-plugin-security package allows you to use yum to obtain a list of all of the errata that are available for your system, including security updates. You can also use Oracle Enterprise Manager 12c Cloud Control or management tools such as Katello, Pulp, Red Hat Satellite, Spacewalk, and SUSE Manager to extract and display information about errata.

  1. To install the yum-plugin-security package, run the following command:

    # sudo yum install yum-plugin-security
  2. Use the --cve option to display the errata that correspond to a specified CVE, and to install those required packages, by running the following commands:

    # sudo yum updateinfo list --cve CVE-2018-3620
    # sudo yum update --cve CVE-2018-3620

    A system reboot will be required once the package is applied. By default, the boot manager will automatically enable the most recent kernel version. For more information on using yum update, visit Installing and Using the Yum Security Plugin.

  3. After the system reboots, ensure that the following file is populated.

    cat /sys/devices/system/cpu/vulnerabilities/l1tf

Patching Windows Instances

Protecting New Windows VM and Bare Metal Instances

When you create a new VM or bare metal instance based on the latest Oracle-provided Windows images, the image includes the Microsoft-recommended patches to protect against the L1TF vulnerability. Windows bare metal instances also include the latest microcode updates from Intel.

There is no further action required from you to protect your new Windows-based VM or bare metal instances from the L1TF vulnerability. You should ensure that you keep the your instances updated with the latest patches as recommended by your OS vendor.

Protecting Existing Windows VM and Bare Metal Instances

To update the microcode for existing bare metal instances

Bare metal instances launched before the Oracle-provided Windows images were updated must have the latest microcode updates from Intel. You need to recycle your Windows bare metal instances in order to receive the latest Intel microcode update. This step is not required for VM instances.

  1. Create a new custom image of your Windows bare metal instance, see Creating Windows Custom Images for more information.

  2. Terminate your existing Windows bare metal instance.

  3. Open the navigation menu. Under Core Infrastructure, go to Compute and click Custom Images. Find the custom image you want to use.
  4. Click the Actions icon (three dots), and then click Create Instance.

  5. Provide additional launch options as described in Creating an Instance.

Once you have completed these steps, perform the steps in the next procedure to update the instance with the latest OS updates from Microsoft.

To patch the OS for bare metal and VM instances with downtime

Windows images include the Windows Update utility, which you can run to get the latest Windows updates from Microsoft. You have to configure the security list on the subnet on which the instance is running to allow instances to access Windows update servers. See Windows OS Updates for Windows Images and Security Lists for more information.

  1. Verify that you have installed the latest Windows OS security update from Microsoft.

    1. If automatic updates are turned on, the updates should be automatically delivered to the instance.

    2. To manually check for the latest update, select Start.

    3. In Settings select Updates & security and then select Windows Update.

    4. In Windows Update, click Check for updates.

    5. When you turn on automatic updates, this update will be downloaded and installed automatically. For more information about how to turn on automatic updates, see Windows Update: FAQ.

For additional details see Windows Server guidance to protect against L1 terminal fault.

Patching Ubuntu or CentOS Instances

When you create a new VM or bare metal instance based on the latest Oracle-provided Ubuntu or CentOS images, the image includes the recommended patches to protect against the L1TF vulnerability, see for more information L1 Terminal Fault (L1TF) and L1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646.

For existing VM or bare metal instances you should follow the guidance provided by the OS vendor for patching systems.