Oracle Cloud Infrastructure Compute Content Impact
Intel disclosed these speculative execution side-channel processor vulnerabilities affecting Intel processors.
These vulnerabilities have received the following CVE identifiers:
-
CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
-
CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
-
CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)
-
CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)
For more information, see https://blogs.oracle.com/security/intelmds.
Recommended Action
Oracle recommends that customers patch the operating systems for their existing bare metal and virtual machine (VM) instances and verify that these OS updates include the patch for the MDS vulnerabilities. For VM instances, the Oracle Cloud Infrastructure team has implemented the necessary workarounds designed to mitigate for the MDS vulnerabilities. For bare metal instances using virtualization technology, you should also follow the following instructions
If you are running your own virtualization stack or hypervisors on bare metal instances, you should apply the appropriate patch required to address the MDS processor vulnerabilities.
The information in the following sections detail the commands needed to update your running instances created with platform images.
The following platform image releases have been updated with the recommended patches, as a result instances created using these images or subsequent images include the recommended patches for the MDS vulnerabilities.
Protections against the MDS processor vulnerabilities are enabled by default in Oracle Autonomous Linux 8.x, Oracle Linux 8, Oracle Linux Cloud Developer 8, Ubuntu 20.04, and Windows Server 2019.
- Oracle-Autonomous-Linux-7.7-2019.12-0
- Oracle-Linux-6.10-2019.05.14-0
- Oracle-Linux-7.6-2019.05.14-0
- Oracle-Linux-7.6-Gen2-GPU-2019.05.14-0
- Windows-Server-2012-R2-Standard-Edition-VM-2019.05.15-0
- Windows-Server-2012-R2-Standard-Edition-VM-Gen2-2019.05.14-0
- Windows-Server-2012-R2-Standard-Edition-VM-Gen2-E2-2019.05.15-0
- Windows-Server-2012-R2-Datacenter-Edition-BM-Gen2-2019.05.14-0
- Windows-Server-2012-R2-Datacenter-Edition-BM-Gen2-DenseIO-2019.05.15-0
- Windows-Server-2012-R2-Datacenter-Edition-BM-Gen2-E2-2019.05.14-0
- Windows-Server-2012-R2-Datacenter-Edition-BM-2019.06.17-0
- Windows-Server-2016-Standard-Edition-VM-Gen2-2019.05.14-0
- Windows-Server-2016-Standard-Edition-VM-Gen2-E2-2019.05.14-0
- Windows-Server-2016-Datacenter-Edition-BM-Gen2-2019.05.14-0
- Windows-Server-2016-Datacenter-Edition-BM-Gen2-DenseIO-2019.05.14-0
- Windows-Server-2016-Datacenter-Edition-BM-Gen2-E2-2019.05.15-0
- CentOS-7-2019.05.16-0
- Canonical-Ubuntu-18.04-2019.05.15-0
- Canonical-Ubuntu-18.04-Minimal-2019.05.15-0
Customers running instances created from imported third-party images should refer to the operating system (OS) vendor's guidance to patch the OS for the MDS vulnerability.
Patching Oracle Linux Instances
Oracle has released security patches for Oracle Linux 6, Oracle Linux 7, and Oracle VM Server for X86 products. In addition to the OS patches, customers should run the latest version of the microcode from Intel to mitigate these issues. For both bare metal and VM instances, please install the latest Ksplice via uptrack-upgrade.
See Installing Ksplice Uptrack Within the Oracle Cloud Infrastructure for how to install Ksplice.
For Oracle Linux, the patches for the MDS vulnerabilities are addressed by the same set of patches. For further information please see the following:
- https://linux.oracle.com/cve/CVE-2018-12126.html
- https://linux.oracle.com/cve/CVE-2018-12130.html
- https://linux.oracle.com/cve/CVE-2018-12127.html
- https://linux.oracle.com/cve/CVE-2019-11091.html
Bare metal instances must have the latest microcode updates from Intel. This step is not required for VM instances.
To install the latest microcode updates on bare metal instances, run the following command:
# sudo yum update microcode_ctl
The required versions of microcode_ctl rpms are:
- Oracle Linux 7: microcode_ctl 2.1-47.0.4
- Oracle Linux 6: microcode_ctl 1.17-1002
No additional update is required. In addition to the microcode update, you should also patch your bare metal instances using the following set of instructions.
The yum-plugin-security
package allows you to use yum to obtain a list of all errata that are available for your system, including security updates. You can also use Oracle Enterprise Manager 12c Cloud Control or management tools such as Katello, Pulp, Red Hat Satellite, Spacewalk, and SUSE Manager to extract and display information about errata.
-
To install the
yum-plugin-security
package, run the following command:# sudo yum install yum-plugin-security
-
Use the
--cve
option to display the errata that correspond to a specified CVE, and to install those required packages, by running the following commands:# sudo yum updateinfo list --cve CVE-####-#### # sudo yum update --cve CVE-####-####
Replace
####-####
in the above commands with the relevant CVE numbers. -
A system reboot will be required once the package is applied. By default, the boot manager will automatically enable the most recent kernel version. For more information on using yum update, visit Installing and Using the Yum Security Plugin.
-
After the system reboots, ensure that the following file is populated:
cat /sys/devices/system/cpu/vulnerabilities/mds
Patching Windows Instances
Protecting New Windows VM and Bare Metal Instances
When you create a new VM or bare metal instance based on the latest Windows platform images, the image includes the Microsoft-recommended patches to protect against the MDS vulnerability. Windows bare metal instances also include the latest microcode updates from Intel. To apply the MDS patch install the latest Windows updates and reboot the instance. You should ensure that you keep your instances updated with the latest patches as recommended by your OS vendor.
Protecting Existing Windows VM and Bare Metal Instances
Bare metal instances launched before the Windows platform images were updated must have the latest microcode updates from Intel. You need to recycle your Windows bare metal instances in order to receive the latest Intel microcode update. This step is not required for VM instances.
-
Create a new custom image of your Windows bare metal instance, see Creating Windows Custom Images for more information.
-
Terminate your existing Windows bare metal instance.
-
Open the navigation menu and click Compute. Under Compute, click Custom Images.. Find the custom image you want to use.
-
Click the
, and then click Create Instance. -
Provide additional launch options as described in Creating an Instance.
Once you have completed these steps, perform the steps in the next procedure to update the instance with the latest OS updates from Microsoft
Windows images include the Windows Update utility, which you can run to get the latest Windows updates from Microsoft. You have to configure the security list on the subnet on which the instance is running to allow instances to access Windows update servers. See Windows OS Updates for Windows Images and Security Lists for more information.
-
Verify that you have installed the latest Windows OS security update from Microsoft.
-
If automatic updates are turned on, the updates should be automatically delivered to the instance.
-
To manually check for the latest update, select Start.
-
In Settings select Updates & security and then select Windows Update.
-
In Windows Update, click Check for updates.
-
When you turn on automatic updates, this update will be downloaded and installed automatically. For more information about how to turn on automatic updates, see Windows Update: FAQ.
-
For additional details see Windows Server guidance to protect against speculative execution side-channel vulnerabilities.
Patching Ubuntu or CentOS Instances
The recommended patches to protect against the MDS vulnerabilities are included when you create a new VM or bare metal instance based on the latest Ubuntu or CentOS platform images, see Microarchitectural Data Sampling (MDS) and MDS - Microarchitectural Store Buffer Data - CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091. For existing VM or bare metal instances you should follow the patching guidance provided by the original OS vendor.
Any images published after May 14, 2019 listed in the image release notes will include the MDS patches. If using earlier images already launched, follow patching instructions.