Print | Rate this content

Bulletin: HPE ProLiant Servers - Side Channel Analysis Method Allows Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00039267en_us

Version: 6

Bulletin: (Revision) HPE ProLiant, Moonshot and Synergy Servers - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-01-31

Last Updated: 2018-01-31


DESCRIPTION

Document Version
Release Date
Details
6
01/31/2018
Updated Description with additional processor and issue timeline information.
5
01/22/2018
Updated advisory with additional information on Gen10 platform System ROMs that have also been removed from the HPE Download Site and recommendation to revert to a previous version of the System ROM
4
01/12/2018
Updated document with information on Gen8 and Gen9 System ROMs that have been removed from the HPE download site, and additional information
3
01/10/2018
Updated document with additional information and the latest platform information, fix versions, and updates
2
01/08/2018
Updated document with additional information and the latest platform information, fix versions, and updates.
1
01/05/2018
Original document release

On January 3, 2018 an industry-wide vulnerability was publicly disclosed that involves modern microprocessor architectures. Based on new security research, there are software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Often referred to as the Side-Channel Analysis Method, or Spectre/Meltdown, this vulnerability impacts microprocessor architectures from both Intel and AMD used on HPE ProLiant and Synergy servers. Mitigation of these issues requires both an Operating System update, provided by the OS vendor, and a System ROM update from HPE.

There are three variants to the issue. Variant 1 (CVE-2017-5753) and Variant 2 (CVE-2017-5715) are also referred to as Spectre. Variant 1 requires only an OS update.

Variant 2 requires both an OS update and a new microcode which is included in an updated System ROM.

Variant 3 (CVE-2017-5754) is also referred to as Meltdown and only requires an OS update. All three variants of the attack require malicious software running on the system. To reduce exposure to these vulnerabilities, HPE recommends customers vigilantly maintain security best practices and keep systems up to date.

The following links provide additional information regarding this vulnerability:

Processor Vendor Responses:

Intel:

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html Non-HPE site .

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Non-HPE site

AMD: http://www.amd.com/en/corporate/speculative-execution Non-HPE site

ARM Holdings: https://developer.arm.com/support/security-update Non-HPE site

Operating System Vendor Response:

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 Non-HPE site

Red Hat: https://access.redhat.com/security/vulnerabilities/speculativeexecution Non-HPE site

SuSE: https://www.suse.com/support/kb/doc/?id=7022512 Non-HPE site

VMware: https://www.vmware.com/security/advisories/VMSA-2018-0002.html Non-HPE site

CentOS: https://lists.centos.org/pipermail/centos-announce/2018-January/thread.html Non-HPE site

On January 11, 2018, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for Broadwell and Haswell processors:

https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/ Non-HPE site

On January 17, 2018, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for numerous processors including Skylake, Kaby Lake, Ivybridge, and Sandybridge processors:

https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/ Non-HPE site

On January 22, 2018, Intel announced a recommendation to stop using the versions of the System ROMs that included the impacted microcode and to revert to a previous version of the System ROM, as detailed below:

https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/ Non-HPE site

Intel has now identified the root cause of these issues and determined that these microcodes may introduce reboots and other unpredictable system behavior. Due to the severity of the potential issues that may occur when using these microcodes, Intel is now recommending that customers discontinue their use. Additional information is available from Intel’s Security Exploit Newsroom Non-HPE site .

HPE is in alignment with Intel in our recommendation that customers discontinue use of System ROMs that include impacted microcodes and revert to earlier System ROM versions. All System ROMs that include impacted microcodes have been removed from the HPE Support Site.

This affects HPE ProLiant and Synergy Gen10, Gen9, and Gen8 v2 servers for which updated System ROMs had previously been made available. Intel is working on updated microcodes to address these issues, and HPE will validate updated System ROMs that include these microcodes and make them available in the coming weeks. Mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown) vulnerabilities require only OS updates and are not impacted.

The following System ROMs have been removed:

ROM Family
ROM Version
Servers
U30
v1.28 (12/11/2017)
ProLiant DL380 Gen10
U31
v1.28 (12/11/2017)
ProLiant DL160 Gen10, ProLiant DL180 Gen10
U32
v1.28 (12/11/2017)
ProLiant DL360 Gen10
U33
v1.28 (12/11/2017)
ProLiant ML110 Gen10
U34
v1.28 (12/11/2017)
ProLiant DL560 Gen10, ProLiant DL580 Gen10
U36
v1.28 (12/11/2017)
ProLiant DL120 Gen10
U37
v1.28 (12/11/2017)
ProLiant XL230k Gen10
U38
v1.28 (12/11/2017)
ProLiant XL170r Gen10, ProLiant XL190r Gen10
U40
v1.28 (12/11/2017)
ProLiant XL450 Gen10
U41
v1.28 (12/11/2017)
ProLiant ML350 Gen10
I41
v1.28 (12/11/2017)
ProLiant BL460c Gen10
I42
v1.28 (12/11/2017)
Synergy 480 Gen10 Compute Module
I43
v1.28 (12/11/2017)
Synergy 660 Gen10 Compute Module
U22
v2.52 (12/12/2017)
ProLiant DL20 Gen9
U23
v2.52 (12/12/2017)
ProLiant ML30 Gen9
H07
v1.60 (12/12/2017
ProLiant m710x Server Cartridge

U13
v2.54 (12/07/2017)
ProLiant XL230a Gen9, ProLiant XL250a Gen9
U14
v2.54 (12/07/2017)
ProLiant XL170r Gen9, ProLiant XL190r Gen9
U15
v2.54 (12/07/2017)
ProLiant DL60 Gen9, ProLiant DL80 Gen9
U18
v2.54 (12/07/2017)
ProLiant XL730f Gen9, ProLiant XL740f Gen9, ProLiant XL750f Gen9
U19
v2.54 (12/07/2017)
HPE Apollo 4200 Gen9
U20
v2.54 (12/07/2017)
ProLiant DL160 Gen9, ProLiant DL180 Gen9
U21
v2.54 (12/07/2017)
ProLiant XL450 Gen9
U25
v2.54 (12/07/2017)
ProLiant XL270d Accelerator Tray
P85
v2.54 (12/07/2017)
ProLiant DL560 Gen9
P86
v2.54 (12/07/2017)
ProLiant DL120 Gen9
P89
v2.54 (12/07/2017)
ProLiant DL380 Gen9, ProLiant DL360 Gen9
P92
v2.54 (12/07/2017)
ProLiant ML350 Gen9
P95
v2.54 (12/07/2017)
ProLiant ML150 Gen9
P99
v2.54 (12/07/2017)
ProLiant ML110 Gen9
I36
v2.54 (12/07/2017)
ProLiant BL460c Gen9, ProLiant WS460c Gen9
I37
v2.54 (12/07/2017)
HPE Synergy 480 Gen9 Compute Module
I38
v2.54 (12/07/2017)
ProLiant BL660c Gen9
I39
v2.54 (12/07/2017)
HPE Synergy 660 Gen9 Compute Module
U17
v2.54 (12/07/2017)
ProLiant DL580 Gen9
I40
v2.54 (12/07/2017)
HPE Synergy 620 Gen9 Compute Module, HPE Synergy 680 Gen9 Compute Module
H06
12/12/2017
ProLiant m710p Server Cartridge
P78
12/12/2017
ProLiant ML310e Gen8 v2
P80
12/12/2017
ProLiant DL320e Gen8 v2
J10
12/12/2017
ProLiant ML10 v2
H03
12/12/2017
ProLiant m710 Server Cartridge


Refer to Customer Advisory a00039784, "ProLiant Gen8, Gen9, and Gen10 Series Servers -CUSTOMER ACTION REQUIRED: Some System ROMs That Addressed the Side Channel Analysis Vulnerability Have Been Removed from the HPE Download Site," For additional information:

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039784en_us


HPE urges all customers to vigilantly maintain security best practices and keep systems up-to-date.



SCOPE

HPE will be releasing updated System ROMs for ProLiant and Synergy Gen10, Gen9, and Gen8 servers including updated microcodes that, along with an OS update, mitigate Variant 2 (Spectre) of this issue. Note that processor vendors have NOT released updated microcodes for numerous processors which gates HPE’s ability to release updated System ROMs.

The following table indicates HPE ProLiant and Synergy servers impacted by these issues which HPE is making updated System ROMs (including updated microcode updates) available:

Intel has informed HPE that Itanium is not impacted by these vulnerabilities.

The HPE ProLiant DL385 Gen10 with the AMD microcode update is working as designed and has mitigated the risk associated with the Side Channel Analysis vulnerability.

Instructions on how to obtain operating system and System ROM updates for the HPE ProLiant DL385 Gen10 are currently available on the HPE Vulnerability Website .

ROM Family
Server(s)
System ROM Status
A40
ProLiant DL385 Gen10 (AMD System)
Available
U30
ProLiant DL380 Gen10
Removed*
U31
ProLiant DL160 Gen10, ProLiant DL180 Gen10
Removed*
U32
ProLiant DL360 Gen10
Removed*
U33
ProLiant ML110 Gen10
Removed*
U34
ProLiant DL560 Gen10, ProLiant DL580 Gen10
Removed*
U36
ProLiant DL120 Gen10
Removed*
U37
ProLiant XL230k Gen10
Removed*
U38
ProLiant XL170r Gen10, ProLiant XL190r Gen10
Removed*
U40
ProLiant XL450 Gen10
Removed*
U41
ProLiant ML350 Gen10
Removed*
I41
ProLiant BL460c Gen10
Removed*
I42
HPE Synergy 480 Gen10
Removed*
I43
HPE Synergy 660 Gen10
Removed*
U13
ProLiant XL230a Gen9, ProLiant XL250a Gen9
Removed*
U14
ProLiant XL170r Gen9, ProLiant XL190r Gen9
Removed*
U15
ProLiant DL60 Gen9, ProLiant DL80 Gen9
Removed*
U18
ProLiant XL730f Gen9,ProLiant XL740f Gen9, ProLiant XL750f Gen9
Removed*
U19
Apollo 4200 Gen9
Removed*
U20
ProLiant DL160 Gen9, ProLiant DL180 Gen9
Removed*
U21
ProLiant XL450 Gen9
Removed*
U25
ProLiant XL270d Accelerator Tray
Removed*
P85
ProLiant DL560 Gen9
Removed*
P86
ProLiant DL120 Gen9
Removed*
P89
ProLiant DL380 Gen9, ProLiant DL360 Gen9
Removed*
P92
ProLiant ML350 Gen9
Removed*
P95
ProLiant ML150 Gen9
Removed*
P99
ProLiant ML110 Gen9
Removed*
I36
ProLiant BL460c Gen9, ProLiant WS460c Gen9
Removed*
I37
HPE Synergy 480 Gen9
Removed*
I38
ProLiant BL660c Gen9
Removed*
I39
HPE Synergy 660 Gen9
Removed*
U17
ProLiant DL580 Gen9
Removed*
I40
HPE Synergy 620 Gen9, HPE Synergy 680 Gen9
Removed*
U24
ProLiant XL260a Gen9
Not Yet Available
U26
ProLiant Thin Micro TM200
Not Yet Available
H05
ProLiant m510 Server Cartridge
Not Yet Available
U22
ProLiant DL20 Gen9
Removed*
U23
ProLiant ML30 Gen9
Removed*
H07
ProLiant m710x Server Cartridge
Removed*
H02
ProLiant m300 Server Cartridge
Not Yet Available
H04
ProLiant m350 Server Cartridge
Not Yet Available
H06
ProLiant m710p Server Cartridge
Removed*
A34
ProLiant m700 Server Cartridge (AMD System)
Not Yet Available
A35
m700p Server Cartridge (AMD System)
Not Yet Available
I30
ProLiant BL420c Gen8
Not Yet Available
I31
ProLiant BL460c Gen8
Not Yet Available
I32
ProLiant BL660c Gen8
Not Yet Available
J02
ProLiant ML350e Gen8, ProLiant ML350e Gen8 v2
Not Yet Available
J03
ProLiant DL160 Gen8
Not Yet Available
P70
ProLiant DL380p Gen8
Not Yet Available
P71
ProLiant DL360p Gen8
Not Yet Available
P72
ProLiant ML350p Gen8
Not Yet Available
P73
ProLiant DL360e Gen8, ProLiant DL380e Gen8
Not Yet Available
P74
ProLiant SL4540 Gen8
Not Yet Available
P75
ProLiant SL230s Gen8, ProLiant SL250s Gen8, ProLiant SL270s Gen8
Not Yet Available
P77
ProLiant DL560 Gen8
Not Yet Available
P83
ProLiant SL210t Gen8
Not Yet Available
P79
ProLiant DL580 Gen8
Not Yet Available
P88
ProLiant ML10
Not Yet Available
J04
ProLiant ML310e Gen8
Not Yet Available
J05
ProLiant DL320e Gen8
Not Yet Available
J06
ProLiant Microserver Gen8
Not Yet Available
P78
ProLiant ML310e Gen8 v2
Removed*
P80
ProLiant DL320e Gen8 v2
Removed*
J10
ProLiant ML10 v2
Removed*
H03
ProLiant m710 Server Cartridge
Removed*
A26
ProLiant BL465c Gen8 (AMD System)
Not Yet Available
A28
ProLiant DL385 Gen8 (AMD System)
Not Yet Available

* Indicates that the System ROM had been released to the HPE Support Site but was removed due to Intel reported microcode issues. See the following advisory https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039784en_us .

RESOLUTION

HPE recommends updating the operating system and System ROM (with updated microcode) when available to mitigate the Side Channel Analysis vulnerability. For customers who have deployed System ROMs which have been removed from HPE’s Support Site due to Intel reported microcode issues ( https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039784en_us ), HPE recommends customers revert to a previous revision of the System ROM which does not contain the impacted microcode.

HPE recommends reverting to a previous version of the System ROM as detailed below:

ROM Family
Servers
Previous Version to revert to, that does not contain the updated microcode
U30
ProLiant DL380 Gen10
1.26 (11/14/2017)
U31
ProLiant DL160 ProLiant Gen10, DL180 Gen10
1.26 (11/14/2017)
U32
ProLiant DL360 Gen10
1.26 (11/14/2017)
U33
ProLiant ML110 Gen10
1.26 (11/14/2017)
U34
ProLiant DL560 Gen10, ProLiant DL580 Gen10
1.26 (11/14/2017)
U36
ProLiant DL120 Gen10
1.26 (11/14/2017)
U37
ProLiant XL230k Gen10
1.26 (11/14/2017)
U38
ProLiant XL170r Gen10, ProLiant XL190r Gen10
1.26 (11/14/2017)
U40
ProLiant XL450 Gen10
1.26 (11/14/2017)
U41
ProLiant ML350 Gen10
1.26 (11/14/2017)
I41
ProLiant BL460c Gen10
1.26 (11/14/2017)
I42
HPE Synergy 480 Gen10 Compute Module
1.26 (11/14/2017)
I43
HPE Synergy 660 Gen10 Compute Module
1.26 (11/14/2017)
U22
ProLiant DL20 Gen9
2.50 (10/02/2017)
U23
ProLiant ML30 Gen9
2.50 (10/02/2017)
H07
ProLiant m710x Server Cartridge
1.50 (10/25/2017)

U13
ProLiant XL230a Gen9, ProLiant XL250a Gen9
v2.52_10-25-2017
U14
ProLiant XL170r Gen9, ProLiant XL190r Gen9
v2.52_10-25-2017
U15
ProLiant DL60 Gen9, ProLiant DL80 Gen9
v2.52_10-25-2017
U18
ProLiant XL730f Gen9, ProLiant XL740f Gen9, ProLiant XL750f Gen9
v2.52_10-25-2017
U19
HPE Apollo 4200 Gen9
v2.52_10-25-2017
U20
ProLiant DL160 Gen9, ProLiant DL180 Gen9
v2.52_10-25-2017
U21
ProLiant XL450 Gen9
v2.52_10-25-2017
U25
ProLiant XL270d Accelerator Tray
v2.52_10-25-2017
P85
ProLiant DL560 Gen9
v2.52_10-25-2017
P86
ProLiant DL120 Gen9
v2.52_10-25-2017
P89
ProLiant DL380 Gen9, ProLiant DL360 Gen9
v2.52_10-25-2017
P92
ProLiant ML350 Gen9
v2.52_10-25-2017
P95
ProLiant ML150 Gen9
v2.52_10-25-02017
P99
ProLiant ML110 Gen9
v2.52_10-25-2017
I36
ProLiant BL460c Gen9, ProLiant WS460c Gen9
v2.52_10-25-2017
I37
HPE Synergy 480 Gen9 Compute Module
v2.52_10/25/2017
I38
ProLiant BL660c Gen9
v2.52_10-25-2017
I39
HPE Synergy 660 Gen9 Compute Module
v2.52_10-25-2017
U17
ProLiant DL580 Gen9
2.52_11-08-2017
I40
HPE Synergy 620 Gen9 Compute Module, HPE Synergy 680 Gen9 Compute Module
2.52_11-08-2017
H06
ProLiant m710p Server Cartridge
2016.07.13
P78
ProLiant ML310e Gen8 v2
2014.03.28
P80
ProLiant DL320e Gen8 v2
2015.04.02
J10
ProLiant ML10 v2
2015.02.02
H03
ProLiant m710 Server Cartridge
2016.01.06


Versions of the System ROM are available as follows:

Click the following link: https://support.hpe.com/hpesc/public/home

  1. Enter a product name (e.g., "DL380 Gen10") in the text search field and wait for a list of products to populate. From the products displayed, identify the desired product and click on the Drivers & software icon to the right of the product.
  2. From the Drivers & software dropdown menus on the left side of the page:
  3. Under Software Type, select "BIOS-(Entitlement Required") - (Note that Entitlement is NOT required to download these firmware versions.
  4. For further filtering if needed - Select the specific Operating System from the Operating Environment.
  5. Select the appropriate version of the System ROM.
  6. Click Download.

RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document .

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips Document .


Hardware Platforms Affected: HPE ProLiant ML30 Gen9 Server, HPE ProLiant DL20 Gen9 Server, HPE Synergy 480 Gen9 Compute Module, HPE Synergy 660 Gen9 Compute Module, HPE Synergy 620 Gen9 Compute Module, HPE Synergy 680 Gen9 Compute Module, HPE ProLiant m710x Server Cartridge, HPE ProLiant XL270d Gen9 Server, HPE ProLiant MicroServer Gen10, HPE ProLiant DL360 Gen10 Server, HPE ProLiant BL460c Gen10 Server Blade, HPE Synergy 660 Gen10 Compute Module, HPE Synergy 480 Gen10 Configure-to-order Compute Module, HPE ProLiant DL380 Gen10 Server, HPE ProLiant DL560 Gen10 Server, HPE ProLiant XL230k Gen10 Server, HPE ProLiant XL170r Gen10 Server, HPE ProLiant XL190r Gen10 Server, HPE ProLiant DL160 Gen10 Server, HPE ProLiant DL180 Gen10 Server, HPE ProLiant DL580 Gen10 Server, HPE ProLiant ML110 Gen10 Server, HPE ProLiant ML350 Gen10 Server, HPE ProLiant XL450 Gen10 Server, HPE ProLiant DL385 Gen10 Server, Apollo 6000 System, HPE ProLiant DL320e Gen8 v2 Server, HPE ProLiant ML310e Gen8 v2 Server, HPE ProLiant XL730f Gen9 Server, HPE ProLiant DL160 Gen9 Server, HPE ProLiant DL180 Gen9 Server, HPE ProLiant DL360 Gen9 Server, HPE ProLiant BL460c Gen9 Server Blade, HPE ProLiant DL380 Gen9 Server, HPE ProLiant ML350 Gen9 Server, HPE ProLiant XL250a Gen9 Server, HPE ProLiant XL740f Gen9 Server, HPE ProLiant XL750f Gen9 Server, HPE ProLiant m710 Server Cartridge, HPE ProLiant DL120 Gen9 Server, HPE ProLiant ML150 Gen9 Server, HPE ProLiant DL60 Gen9 Server, HPE ProLiant DL80 Gen9 Server, HPE ProLiant ML110 Gen9 Server, HPE ProLiant XL170r Gen9 Server, HPE ProLiant XL190r Gen9 Server, HPE WS460c Gen9 Graphics Expansion Blade, HPE ProLiant DL580 Gen9 Server, HPE ProLiant DL560 Gen9 Server, HPE Apollo 4200 Gen9 Server, HPE ProLiant XL450 Gen9 Server, HPE ProLiant m710p Server Cartridge
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK2892
©Copyright 2018 Hewlett Packard Enterprise Company, L.P.
Hewlett Packard Enterprise Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Company and the names of Hewlett Packard Enterprise Company products referenced herein are trademarks of Hewlett Packard Enterprise Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!