Oracle Cloud Infrastructure Customer Advisory for L1TF Impact on the Database Service

Intel disclosed a new set of speculative execution side-channel processor vulnerabilities affecting their processors. For more information, see Vulnerability Note VU#584653. These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received the following CVE identifiers:

  • CVE-2018-3615, which impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.

  • CVE-2018-3620, which impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.

  • CVE-2018-3646, which impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1.

See the Oracle Cloud Security Response to Intel L1TF Vulnerabilities for more information.

Oracle has deployed technical mitigations across Oracle Cloud Infrastructure systems designed to prevent a malicious attacker’s virtual machine (VM) instance from accessing data from other VM instances.

Autonomous Data Warehouse and Autonomous Transaction Processing

Autonomous Data Warehouse provides fully managed databases optimized for running data warehouse workloads. Autonomous Transaction Processing provides fully managed databases optimized for running online transaction processing and mixed database workloads. Autonomous Data Warehouse and Autonomous Transaction Processing are not affected by the L1TF vulnerabilities, CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646. No further action is required by customers.

Guidance for the DatabaseService on Bare Metal Instances

The Database service on Oracle Cloud Infrastructure bare metal instances offer customers full control over their Oracle Database running on a physical server. Oracle Cloud Infrastructure's network virtualization is designed and configured to protect these instances from unauthorized access from other instances on the Oracle Cloud Infrastructure network, including other customer instances, both VM instances and other bare metal instances.

Actions for Customers with VM DB Systems, Bare Metal DB Systems, or Exadata DB Systems

Vulnerability CVE-2018-3620 could enable a rogue user-mode process to read privileged kernel memory within the same operating system. As a result, you need to patch these systems once these patches are available. These patches will be available shortly and Oracle will update this page when the operating system (OS) patches are published. Oracle will update the Database base images with the latest patches for new instance launches.

Once the patches are available, use the following instructions to patch a running instance: