Oracle Cloud Infrastructure Documentation

Oracle Cloud Security Response to Intel L1TF Vulnerabilities

Intel disclosed a new set of speculative execution side-channel processor vulnerabilities affecting their processors. For more information, see Vulnerability Note VU#584653. These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received the following CVE identifiers:

  • CVE-2018-3615, which impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.

  • CVE-2018-3620, which impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.

  • CVE-2018-3646, which impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1.

See Intel Processor L1TF vulnerabilities: CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 for more information.

Oracle Cloud Infrastructure

Oracle has deployed technical mitigations across Oracle Cloud Infrastructure systems designed to prevent a malicious attacker’s virtual machine (VM) instance from accessing data from other VM instances.

However, vulnerability CVE-2018-3620 could enable a rogue user mode process to read privileged kernel memory within the same virtual machine. As a result, if you manage your own operating systems (OS), you are advised to keep up with OS security patches to address this vulnerability.

The following sections contain the details of mitigations and actions.

Oracle Cloud Infrastructure Compute

For details and required actions related to the Compute service's VM and bare metal instances, see Oracle Cloud Infrastructure Customer Advisory for L1TF Impact on the Compute Service.

Oracle Cloud Infrastructure Database

If you use Autonomous Data Warehouse and Autonomous Transaction Processing, you have no further action to take.

For details and required actions related to Oracle Cloud Infrastructure offerings for VM DB systems, bare metal DB systems, and Exadata DB systems, see Oracle Cloud Infrastructure Customer Advisory for L1TF Impact on the Database Service.

Platform Service and Kubernetes Services on Oracle Cloud Infrastructure

Oracle has deployed technical mitigations designed to prevent malicious attacker’s VM instance from accessing data from other VM instances on the same hypervisor.

However, vulnerability CVE-2018-3620 could enable a rogue user-mode process to read privileged kernel memory within the same virtual machine. As a result, Platform Service hosts managed by Oracle are being patched by Oracle. If you manage your own operating systems you're advised to keep up with the OS security patches to address this vulnerability.

Other Oracle Cloud Infrastructure Services

Mitigations designed to protect all other Oracle Cloud Infrastructure services have been deployed. Oracle will notify and coordinate directly with customers for any additional required maintenance activities.

Oracle Cloud Infrastructure Classic and Oracle Platform Service on Oracle Cloud Infrastructure Classic

For more information see Oracle Cloud Infrastructure Classic.

Oracle is deploying technical mitigations designed for Infrastructure and Platform Services on Oracle Cloud Infrastructure Classic. Some customers may experience reboots or downtime associated while deploying these mitigations.

Vulnerability CVE-2018-3620 could enable a rogue user-mode process to read privileged kernel memory within the same virtual machine. As a result, Platform Service hosts managed by Oracle are being patched by Oracle. If you manage your own operating systems you're advised to keep up with the OS security patches to address this vulnerability.