Oracle Cloud Infrastructure Documentation

Oracle Cloud Infrastructure Compute Content Impact

Intel disclosed four new speculative execution side-channel processor vulnerabilities affecting Intel processors. These vulnerabilities have received the following CVE identifiers:

  • CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

  • CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)

  • CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)

  • CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)

For more information, see https://blogs.oracle.com/security/intelmds.

Recommended Action

Oracle recommends that customers patch the operating systems for their existing bare metal and virtual machine (VM) instances and verify that these OS updates include the patch for the MDS vulnerabilities. For VM instances, the Oracle Cloud Infrastructure team has implemented the necessary workarounds designed to mitigate for the MDS vulnerabilities. For bare metal instances using virtualization technology, you should also follow the following instructions

If you are running your own virtualization stack or hypervisors on bare metal instances, you should apply the appropriate patch required to address the MDS processor vulnerabilities.

The information in the following sections detail the commands needed to update your running instances created with Oracle-Provided Images.

The following Oracle-provided image releases have been updated with the recommended patches, as a result instances created using these images or subsequent images include the recommended patches for the MDS vulnerabilities.

Customers running instances created from imported third-party images should refer to the operating system (OS) vendor's guidance to patch the OS for the MDS vulnerability.

Patching Oracle Linux Instances

Oracle has released security patches for Oracle Linux 6, Oracle Linux 7, and Oracle VM Server for X86 products. In addition to the OS patches, customers should run the latest version of the microcode from Intel to mitigate these issues. For both bare metal and VM instances, please install the latest Ksplice via uptrack-upgrade.

Note

See Installing Ksplice Uptrack Within the Oracle Cloud Infrastructure for how to install Ksplice.

For Oracle Linux, the patches for the MDS vulnerabilities are addressed by the same set of patches. For further information please see the following:

Bare metal instances must have the latest microcode updates from Intel. This step is not required for VM instances.

To install the latest microcode updates on bare metal instances, run the following command:

# sudo yum update microcode_ctl

The required versions of microcode_ctl rpms are:

  • Oracle Linux 7: microcode_ctl 2.1-47.0.4

  • Oracle Linux 6: microcode_ctl 1.17-1002

No additional update is required. In addition to the microcode update, you should also patch your bare metal instances using the following set of instructions.

To patch the OS for bare metal and VM instances with downtime

Patching Windows Instances

Protecting New Windows VM and Bare Metal Instances

When you create a new VM or bare metal instance based on the latest Oracle-provided Windows images, the image includes the Microsoft-recommended patches to protect against the MDS vulnerability. Windows bare metal instances also include the latest microcode updates from Intel. To apply the MDS patch install the latest Windows Updates and reboot the instance. You should ensure that you keep your instances updated with the latest patches as recommended by your OS vendor.

Protecting Existing Windows VM and Bare Metal Instances

To update the microcode for existing bare metal instances
To patch the OS for bare metal and VM instances with downtime

For additional details see Windows Server guidance to protect against speculative execution side-channel vulnerabilities.

Patching Ubuntu or CentOS Instances

The recommended patches to protect against the MDS vulnerabilities are included when you create a new VM or bare metal instance based on the latest Oracle-provided Ubuntu or CentOS images, see Microarchitectural Data Sampling (MDS) and MDS - Microarchitectural Store Buffer Data - CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091. For existing VM or bare metal instances you should follow the patching guidance provided by the original OS vendor.

Note

Any images published after May 14th, 2019 listed in the image release notes will include the MDS patches. If using earlier images already launched, follow patching instructions.