Oracle Cloud Security Response to Intel L1TF Vulnerabilities

Intel disclosed a set of speculative execution side-channel processor vulnerabilities affecting their processors. For more information, see Vulnerability Note VU#584653. These L1 Terminal Fault (L1TF) vulnerabilities affect several Intel processors, and they have received the following CVE identifiers:

  • CVE-2018-3615, which impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.

  • CVE-2018-3620, which impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.

  • CVE-2018-3646, which impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1.

See Intel Processor L1TF vulnerabilities: CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 for more information.

Oracle Cloud Infrastructure

Oracle has deployed technical mitigations across Oracle Cloud Infrastructure systems designed to prevent a malicious attacker's virtual machine (VM) instance from accessing data from other VM instances.

However, vulnerability CVE-2018-3620 could enable a rogue user mode process to read privileged kernel memory within the same virtual machine. As a result, if you manage your own operating systems (OS), you are advised to keep up with OS security patches to address this vulnerability.

The following sections contain the details of mitigations and actions.

Oracle Cloud Infrastructure Compute

For details and required actions related to the Compute service's VM and bare metal instances, see Oracle Cloud Infrastructure Customer Advisory for L1TF Impact on the Compute Service.

Oracle Cloud Infrastructure Database

If you use Autonomous Database for Analytics and Data Warehousing and Autonomous Database for Transaction Processing and Mixed Workloads, you have no further action to take.

For details and required actions related to Oracle Cloud Infrastructure offerings for VM DB systems, bare metal DB systems, and Exadata DB systems, see Oracle Cloud Infrastructure Customer Advisory for L1TF Impact on the Database Service.

Platform Service and Kubernetes Services on Oracle Cloud Infrastructure

Oracle has deployed technical mitigations designed to prevent malicious attacker's VM instance from accessing data from other VM instances on the same hypervisor.

However, vulnerability CVE-2018-3620 could enable a rogue user-mode process to read privileged kernel memory within the same virtual machine. As a result, Oracle patched all Platform Service hosts that are managed by Oracle. If you manage your own operating systems, you're advised to keep up with the OS security patches to address this vulnerability.

Other Oracle Cloud Infrastructure Services

Mitigations designed to protect all other Oracle Cloud Infrastructure services have been deployed. Oracle notified and coordinated directly with customers for any additional required maintenance activities.

Oracle Cloud Infrastructure Classic and Oracle Platform Service on Oracle Cloud Infrastructure Classic

For more information, see Oracle Cloud Infrastructure Classic.

Oracle is deploying technical mitigations designed for Infrastructure and Platform Services on Oracle Cloud Infrastructure Classic. Some customers might experience reboots or downtime associated while deploying these mitigations.

Vulnerability CVE-2018-3620 could enable a rogue user-mode process to read privileged kernel memory within the same virtual machine. As a result, Oracle patched all Platform Service hosts that are managed by Oracle. If you manage your own operating systems, you're advised to keep up with the OS security patches to address this vulnerability.