Oracle Cloud Infrastructure Customer Advisory for MDS Impact on the Database Service
Intel disclosed 4 new speculative execution side-channel processor vulnerabilities affecting Intel processors. These vulnerabilities have received the following CVE identifiers:
CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)
CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)
For more information, see https://blogs.oracle.com/security/intelmds.
Oracle has deployed technical mitigations across Oracle Cloud Infrastructure systems designed to prevent a malicious attacker’s virtual machine (VM) instance from accessing data from other VM instances.
Autonomous Data Warehouse and Autonomous Transaction Processing
Autonomous Data Warehouse provides fully managed databases optimized for running data warehouse workloads.
Autonomous Transaction Processing provides fully managed databases optimized for running online transaction processing and mixed database workloads.
Autonomous Data Warehouse and Autonomous Transaction Processing are not affected by MDS vulnerabilities. These services do not run on their own hypervisor and they do not allow for the execution of untrusted code in their services enclave. Customers can execute code within their own instances and each customer instance is isolated from that of another customer. No further customer action is currently required.
Guidance for the DatabaseService on Bare Metal Instances
The Database service on Oracle Cloud Infrastructure bare metal instances offer customers full control over their Oracle Database running on a physical server. Oracle Cloud Infrastructure's network virtualization is designed and configured to protect these instances from unauthorized access from other instances on theOracle Cloud Infrastructure network, including other customer instances, both VM instances and other bare metal instances. As a result, the Database service on bare metal instances are not affected by the MDS vulnerabilities.
Actions for Customers with VM DB Systems, Bare Metal DB Systems, or Exadata DB Systems
Customers are advised to apply available patches at the earliest possible time. Use the following instructions to patch a running instance:
For DB systems on bare metal instances, apply the OS patches following the instructions in Updating a DB System.
For DB systems on a VM instance, configured using the Oracle Cloud Infrastructure Database service, apply the OS patches following the instructions in Updating a DB System.
For the DB systems on a VM instance configured using the Oracle Platform Service Manager, apply the OS patches following the instructions in Applying Linux OS Security Patches by Using the dbaascli Utility.
For Exadata DB systems, apply the OS patches following the instructions in Updating an Exadata DB System.