Oracle Cloud Infrastructure Customer Advisory for L1TF Impact on the Database Service
Intel disclosed a new set of speculative execution side-channel processor vulnerabilities affecting their processors. For more information, see Vulnerability Note VU#584653. These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received the following CVE identifiers:
CVE-2018-3615, which impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.
CVE-2018-3620, which impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.
CVE-2018-3646, which impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1.
See the Oracle Cloud Security Response to Intel L1TF Vulnerabilities for more information.
Oracle has deployed technical mitigations across Oracle Cloud Infrastructure systems designed to prevent a malicious attacker’s virtual machine (VM) instance from accessing data from other VM instances.
Autonomous Data Warehouse and Autonomous Transaction Processing
Autonomous Data Warehouse provides fully managed databases optimized for running data warehouse workloads. Autonomous Transaction Processing provides fully managed databases optimized for running online transaction processing and mixed database workloads. Autonomous Data Warehouse and Autonomous Transaction Processing are not affected by the L1TF vulnerabilities, CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646. No further action is required by customers.
Guidance for the DatabaseService on Bare Metal Instances
The Database service on Oracle Cloud Infrastructure bare metal instances offer customers full control over their Oracle Database running on a physical server. Oracle Cloud Infrastructure's network virtualization is designed and configured to protect these instances from unauthorized access from other instances on the Oracle Cloud Infrastructure network, including other customer instances, both VM instances and other bare metal instances.
Actions for Customers with VM DB Systems, Bare Metal DB Systems, or Exadata DB Systems
Vulnerability CVE-2018-3620 could enable a rogue user-mode process to read privileged kernel memory within the same operating system. As a result, you need to patch these systems once these patches are available. These patches will be available shortly and Oracle will update this page when the operating system (OS) patches are published. Oracle will update the Database base images with the latest patches for new instance launches.
Once the patches are available, use the following instructions to patch a running instance:
For DB systems on bare metal instances, apply the OS patches following the instructions in Updating a DB System.
For DB systems on a VM instance, configured using the Oracle Cloud Infrastructure Database service, apply the OS patches following the instructions in Updating a DB System.
For the DB systems on a VM instance configured using the Oracle Platform Service Manager, apply the OS patches following the instructions in Applying Linux OS Security Patches by Using the dbaascli Utility.
For Exadata DB systems, apply the OS patches following the instructions in Updating an Exadata DB System.