Oracle Cloud Infrastructure Compute Content Impact

Intel disclosed these speculative execution side-channel processor vulnerabilities affecting Intel processors.

These vulnerabilities have received the following CVE identifiers:

  • CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

  • CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)

  • CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)

  • CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)

For more information, see https://blogs.oracle.com/security/intelmds.

Patching Oracle Linux Instances

Oracle has released security patches for Oracle Linux 6, Oracle Linux 7, and Oracle VM Server for X86 products. In addition to the OS patches, customers should run the latest version of the microcode from Intel to mitigate these issues. For both bare metal and VM instances, please install the latest Ksplice via uptrack-upgrade.

For Oracle Linux, the patches for the MDS vulnerabilities are addressed by the same set of patches. For further information please see the following:

Bare metal instances must have the latest microcode updates from Intel. This step is not required for VM instances.

To install the latest microcode updates on bare metal instances, run the following command:

# sudo yum update microcode_ctl

The required versions of microcode_ctl rpms are:

  • Oracle Linux 7: microcode_ctl 2.1-47.0.4
  • Oracle Linux 6: microcode_ctl 1.17-1002

No additional update is required. In addition to the microcode update, you should also patch your bare metal instances using the following set of instructions.

To patch the OS for bare metal and VM instances with downtime

The yum-plugin-security package allows you to use yum to obtain a list of all errata that are available for your system, including security updates. You can also use Oracle Enterprise Manager 12c Cloud Control or management tools such as Katello, Pulp, Red Hat Satellite, Spacewalk, and SUSE Manager to extract and display information about errata.

  1. To install the yum-plugin-security package, run the following command:

    # sudo yum install yum-plugin-security
  2. Use the --cve option to display the errata that correspond to a specified CVE, and to install those required packages, by running the following commands:

    # sudo yum updateinfo list --cve CVE-####-####
    # sudo yum update --cve CVE-####-####

    Replace ####-#### in the above commands with the relevant CVE numbers.

  3. A system reboot will be required once the package is applied. By default, the boot manager will automatically enable the most recent kernel version. For more information on using yum update, visit Installing and Using the Yum Security Plugin.

  4. After the system reboots, ensure that the following file is populated:

    cat /sys/devices/system/cpu/vulnerabilities/mds

Patching Windows Instances

Protecting New Windows VM and Bare Metal Instances

When you create a new VM or bare metal instance based on the latest Windows platform images, the image includes the Microsoft-recommended patches to protect against the MDS vulnerability. Windows bare metal instances also include the latest microcode updates from Intel. To apply the MDS patch install the latest Windows updates and reboot the instance. You should ensure that you keep your instances updated with the latest patches as recommended by your OS vendor.

Protecting Existing Windows VM and Bare Metal Instances

To update the microcode for existing bare metal instances

Bare metal instances launched before the Windows platform images were updated must have the latest microcode updates from Intel. You need to recycle your Windows bare metal instances in order to receive the latest Intel microcode update. This step is not required for VM instances.

  1. Create a new custom image of your Windows bare metal instance, see Creating Windows Custom Images for more information.

  2. Terminate your existing Windows bare metal instance.

  3. Open the navigation menu and click Compute. Under Compute, click Custom Images.. Find the custom image you want to use.

  4. Click the Actions menu (Actions Menu), and then click Create Instance.

  5. Provide additional launch options as described in Creating an Instance.

Once you have completed these steps, perform the steps in the next procedure to update the instance with the latest OS updates from Microsoft

To patch the OS for bare metal and VM instances with downtime

Windows images include the Windows Update utility, which you can run to get the latest Windows updates from Microsoft. You have to configure the security list on the subnet on which the instance is running to allow instances to access Windows update servers. See Windows OS Updates for Windows Images and Security Lists for more information.

  1. Verify that you have installed the latest Windows OS security update from Microsoft.

    1. If automatic updates are turned on, the updates should be automatically delivered to the instance.

    2. To manually check for the latest update, select Start.

    3. In Settings select Updates & security and then select Windows Update.

    4. In Windows Update, click Check for updates.

    5. When you turn on automatic updates, this update will be downloaded and installed automatically. For more information about how to turn on automatic updates, see Windows Update: FAQ.

For additional details see Windows Server guidance to protect against speculative execution side-channel vulnerabilities.

Patching Ubuntu or CentOS Instances

The recommended patches to protect against the MDS vulnerabilities are included when you create a new VM or bare metal instance based on the latest Ubuntu or CentOS platform images, see Microarchitectural Data Sampling (MDS) and MDS - Microarchitectural Store Buffer Data - CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091. For existing VM or bare metal instances you should follow the patching guidance provided by the original OS vendor.

Note

Any images published after May 14, 2019 listed in the image release notes will include the MDS patches. If using earlier images already launched, follow patching instructions.