Print | Rate this content

Bulletin: (Revision) HPE ProLiant, Moonshot and Synergy Servers - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00039267en_us

Version: 14

Bulletin: (Revision) HPE ProLiant, Moonshot and Synergy Servers - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-04-10

Last Updated: 2018-04-06


DESCRIPTION

Document Version
Release Date
Details
14
04/06/2018
Added a Q and A to the Resolution section regarding platform fixes for generations earlier than G6
13
03/28/2018
Updated Resolution section with a link to a page that contains direct downloads for each individual version of the System ROM that fixes this issue.
12
03/20/2018
Updated document with G7 and G6 platform System ROM fixes.
11
03/05/2018
Updated document with more Gen8 platform System ROM fixes.
10
03/04/2018
Updated document with additional information on this issue, added additional ProLiant Gen8 series systems that now have a System ROM fix, and specifics on ProLiant G7 and G6 platforms that will have a future System ROM fix.
9
03/02/2018
Updated document with additional information on this issue, including specifics on ProLiant G7 and G6 platforms that will have a future System ROM fix.
8
02/27/2018
Updated document with System ROM versions that fix this issue for Gen9 series systems and certain Gen8 v2 and Moonshot systems.
7
02/20/2018
Updated document with System ROM that corrects this issue for Gen10 platforms
6
01/31/2018
Updated Description with additional processor and issue timeline information.
5
01/22/2018
Updated advisory with additional information on Gen10 platform System ROMs that have also been removed from the HPE Download Site and recommendation to revert to a previous version of the System ROM
4
01/12/2018
Updated document with information on Gen8 and Gen9 System ROMs that have been removed from the HPE download site, and additional information
3
01/10/2018
Updated document with additional information and the latest platform information, fix versions, and updates
2
01/08/2018
Updated document with additional information and the latest platform information, fix versions, and updates.
1
01/05/2018
Original document release

On January 3, 2018, an industry-wide vulnerability was publicly disclosed that involves modern microprocessor architectures. Based on new security research, there are software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Often referred to as the Side-Channel Analysis Method, or Spectre/Meltdown, this vulnerability impacts microprocessor architectures from both Intel and AMD used on HPE ProLiant and Synergy servers. Mitigation of these issues requires both an Operating System update, provided by the OS vendor, and a System ROM update from HPE.

There are three variants of this vulnerability as indicated in the table below. As indicated, all three variants require operating system updates for mitigation. Variant 2 also requires an updated microcode from the processor vendor which HPE delivers as part of the System ROM. All variants of the vulnerability require malicious software to run on the system. To reduce exposure to these vulnerabilities, HPE recommends customers vigilantly maintain security best practices and keep systems up-to-date.

Name
CVE Number
OS Update Required
Microcode Required
Variant 1
Spectre
CVE-2017-5753
Yes
No
Variant 2
Spectre
CVE-2017-5715
Yes
Yes
Variant 3
Meltdown
CVE-2017-5754
Yes
No

HPE plans to release System ROM updates for mitigation of Spectre Variant 2 for ProLiant and Synergy platforms in which the processor vendor provides updated microcodes. Based on the latest information HPE has from processor vendors, HPE currently plans to release System ROM updates for the platforms indicated in the Scope section of this document. Currently, this includes HPE ProLiant and Synergy G6, G7, Gen8, Gen9, and Gen10 servers. If support for additional processors is provided by processor vendors, then the list of platforms for which HPE will be providing System ROM updates for will be updated.

The following links provide additional information regarding this vulnerability:

Processor Vendor Responses:

Intel:

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html Non-HPE site .

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Non-HPE site

https://newsroom.intel.com/press-kits/security-exploits-intel-products/ Non-HPE site

AMD: http://www.amd.com/en/corporate/speculative-execution Non-HPE site

ARM Holdings: https://developer.arm.com/support/security-update Non-HPE site

Operating System Vendor Response:

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 Non-HPE site

Red Hat: https://access.redhat.com/security/vulnerabilities/speculativeexecution Non-HPE site

SuSE: https://www.suse.com/support/kb/doc/?id=7022512 Non-HPE site

VMware: https://www.vmware.com/security/advisories/VMSA-2018-0002.html Non-HPE site

CentOS: https://lists.centos.org/pipermail/centos-announce/2018-January/thread.html Non-HPE site

Information on issues with initial versions of Intel's microcodes:

HPE released to the HPE Support Site System ROM updates for HPE ProLiant and Synergy Gen10 servers, Gen9 servers, and many Gen8 servers shortly after the Side Channel Analysis vulnerability was publicly disclosed in early January 2018. Intel publicly reported issues with those microcodes that could result in “unpredictable system behavior.” Based on these issues, HPE was in alignment with Intel's recommendation, and removed all of the System ROMs including impacted microcodes from the HPE Support Site.

Intel subsequently partnered with HPE and a small number of other companies to validate new Beta microcodes which address the “unpredictable system behavior” issue. In almost all cases, the System ROMs which had been removed from the HPE Support Site have now been replaced with updated versions including updated microcodes from Intel that have been granted production status. HPE continues to partner with Intel validating Gen8, G7, and G6 platforms using System ROMs including Beta microcodes from Intel. HPE will release these System ROMs to the HPE Support Site when Intel grants the microcodes production status. See the scope section of this document for information on what System ROMs are currently available to mitigate Spectre Variant 2.

Refer to Customer Advisory a00039784, "ProLiant Gen8, Gen9, and Gen10 Series Servers -CUSTOMER ACTION REQUIRED: Some System ROMs That Addressed the Side Channel Analysis Vulnerability Have Been Removed from the HPE Download Site," for additional information:

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039784en_us

Refer to the following links for more information regarding Intel’s public statements on the issues seen with the initial versions of their microcodes:

On January 11, 2018, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for Broadwell and Haswell processors:

https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/ Non-HPE site

On January 17, 2018, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for numerous processors including Skylake, Kaby Lake, Ivybridge, and Sandybridge processors:

https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/ Non-HPE site

On January 22, 2018, Intel announced a recommendation to stop using the versions of the System ROMs that included the impacted microcode and to revert to a previous version of the System ROM, as detailed below:

https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/ Non-HPE site

SCOPE

HPE has released updated System ROMs for ProLiant and Synergy Gen10 systems, ProLiant and Synergy Gen9 systems, ProLiant Gen8, ProLiant G7 and ProLiant G6 systems including updated microcodes that, along with an OS update, mitigate Variant 2 (Spectre) of this issue. Note that processor vendors have NOT released updated microcodes for many processors, which gates HPE’s ability to release updated System ROMs. HPE will release System ROM updates for additional platforms when processor vendors make production microcodes available to mitigate this issue.

The following table indicates HPE ProLiant and Synergy servers which HPE intends to release updated System ROMs which include the microcode required as part of the mitigation of the Spectre Variant 2 issue. The table indicates which System ROMs are currently available and which will be available when production microcodes are made available.

Intel has informed HPE that Itanium is not impacted by these vulnerabilities.

Instructions on how to obtain operating system and System ROM updates for the systems which have production System ROMs including the required microcodes is available on the HPE Vulnerability Website .

ROM Family
Server(s)
System ROM Status
A40
ProLiant DL385 Gen10 (AMD System)
Available
U30
ProLiant DL380 Gen10
Available
U31
ProLiant DL160 Gen10, ProLiant DL180 Gen10
Available
U32
ProLiant DL360 Gen10
Available
U33
ProLiant ML110 Gen10
Available
U34
ProLiant DL560 Gen10, ProLiant DL580 Gen10
Available
U36
ProLiant DL120 Gen10
Available
U37
ProLiant XL230k Gen10
Available
U38
ProLiant XL170r Gen10, ProLiant XL190r Gen10
Available
U40
ProLiant XL450 Gen10
Available
U41
ProLiant ML350 Gen10
Available
I41
ProLiant BL460c Gen10
Available
I42
HPE Synergy 480 Gen10
Available
I43
HPE Synergy 660 Gen10
Available
U13
ProLiant XL230a Gen9, ProLiant XL250a Gen9
Available
U14
ProLiant XL170r Gen9, ProLiant XL190r Gen9
Available
U15
ProLiant DL60 Gen9, ProLiant DL80 Gen9
Available
U18
ProLiant XL730f Gen9,ProLiant XL740f Gen9, ProLiant XL750f Gen9
Available
U19
Apollo 4200 Gen9
Available
U20
ProLiant DL160 Gen9, ProLiant DL180 Gen9
Available
U21
ProLiant XL450 Gen9
Available
U25
ProLiant XL270d Accelerator Tray
Available
P85
ProLiant DL560 Gen9
Available
P86
ProLiant DL120 Gen9
Available
P89
ProLiant DL380 Gen9, ProLiant DL360 Gen9
Available
P92
ProLiant ML350 Gen9
Available
P95
ProLiant ML150 Gen9
Available
P99
ProLiant ML110 Gen9
Available
I36
ProLiant BL460c Gen9, ProLiant WS460c Gen9
Available
I37
HPE Synergy 480 Gen9
Available
I38
ProLiant BL660c Gen9
Available
I39
HPE Synergy 660 Gen9
Available
U17
ProLiant DL580 Gen9
Available
I40
HPE Synergy 620 Gen9, HPE Synergy 680 Gen9
Available
U24
ProLiant XL260a Gen9
Available
U26
ProLiant Thin Micro TM200
Available
H05
ProLiant m510 Server Cartridge
Available
U22
ProLiant DL20 Gen9
Available
U23
ProLiant ML30 Gen9
Available
H07
ProLiant m710x Server Cartridge
Available
H02
ProLiant m300 Server Cartridge
Available
H04
ProLiant m350 Server Cartridge
Available
H06
ProLiant m710p Server Cartridge
Available
A34
ProLiant m700 Server Cartridge (AMD System)
Not Yet Available
A35
m700p Server Cartridge (AMD System)
Not Yet Available
I30
ProLiant BL420c Gen8
Available
I31
ProLiant BL460c Gen8
Available
I32
ProLiant BL660c Gen8
Available
J02
ProLiant ML350e Gen8, ProLiant ML350e Gen8 v2
Available
J03
ProLiant DL160 Gen8
Available
P70
ProLiant DL380p Gen8
Available
P71
ProLiant DL360p Gen8
Available
P72
ProLiant ML350p Gen8
Available
P73
ProLiant DL360e Gen8, ProLiant DL380e Gen8
Available
P74
ProLiant SL4540 Gen8
Available
P75
ProLiant SL230s Gen8, ProLiant SL250s Gen8, ProLiant SL270s Gen8
Available
P77
ProLiant DL560 Gen8
Available
P83
ProLiant SL210t Gen8
Available
P79
ProLiant DL580 Gen8
Available
P88
ProLiant ML10
Available
J04
ProLiant ML310e Gen8
Available
J05
ProLiant DL320e Gen8
Available
J06
ProLiant Microserver Gen8
Available
P78
ProLiant ML310e Gen8 v2
Available
P80
ProLiant DL320e Gen8 v2
Available
J10
ProLiant ML10 v2
Available
H03
ProLiant m710 Server Cartridge
Available
A26
ProLiant BL465c Gen8 (AMD System)
Not Yet Available
A28
ProLiant DL385 Gen8 (AMD System)
Not Yet Available
I25
ProLiant BL620c G7, ProLiant BL680c G7
Available
P65
ProLiant DL580 G7
Available
P66
ProLiant DL980 G7
Available
I27
ProLiant BL460c G7
Available
I28
ProLiant BL490c G7
Available
I29
ProLiant BL2x220c G7
Available
P67
ProLiant DL380 G7
Available
P68
ProLiant DL360 G7
Available
P69
ProLiant SL390s G7
Available
V67
ProLiant DL380 G7 SE
Available
J01
ProLiant ML110 G7, ProLiant DL120 G7
Available
D22
ProLiant ML350 G6
Available
I21
ProLiant BL490c G6
Available
I22
ProLiant BL280c G6
Available
I24
ProLiant BL460c G6
Available
I26
ProLiant BL2x220c G6
Available
P62
ProLiant DL380 G6
Available
P63
ProLiant ML370 G6, ProLiant DL370 G6
Available
P64
ProLiant DL360 G6
Available
W07
ProLiant ML330 G6, ProLiant DL320 G6
Available

RESOLUTION

HPE recommends updating the operating system and System ROM (with updated microcode) when available to mitigate the Side Channel Analysis vulnerability.

A System ROM & Patch download report is now available on the HPE Product Security Vulnerability Alerts webpage for the Side Channel Analysis Methods (Spectre & Meltdown) vulnerabilities. This download report provides direct links to the System ROMs and patches that HPE has released for ProLiant, Synergy, Moonshot, Cloudline, etc., so that locating the individual components via HPE Support Center is not necessary.

Refer to the following table for a list of System ROM revisions that include updated microcodes For Gen10, Gen9, Gen8, G7 and G6 platforms.

Question: For HPE ProLiant and Synergy platforms, does HPE intend to release System ROM updates including mitigations for Spectre Variant 2 for server generations earlier than G6?

Answer: HPE will release System ROM updates for ProLiant and Synergy platforms for which processor vendors make microcode updates available to mitigate Spectre Variant 2. Intel has released microcodes with mitigations for G6 and newer servers, and HPE has made System ROM updates available for all G6 and newer platforms using the ProLiant System BIOS. Intel currently does not plan to release additional microcode updates for older processors. Information on Intel’s release plans for microcodes related to Spectre Variant 2 can be found in Intel’s Microcode Revision Guidance Non-HPE site .

ROM Family
Server(s)
System ROM Revision
A40
ProLiant DL385 Gen10 (AMD System)
v1.04
U30
ProLiant DL380 Gen10
v1.32
U31
ProLiant DL160 Gen10, ProLiant DL180 Gen10
v1.32
U32
ProLiant DL360 Gen10
v1.32
U33
ProLiant ML110 Gen10
v1.32
U34
ProLiant DL560 Gen10, ProLiant DL580 Gen10
v1.32
U36
ProLiant DL120 Gen10
v1.32
U37
ProLiant XL230k Gen10
v1.32
U38
ProLiant XL170r Gen10, ProLiant XL190r Gen10
v1.32
U40
ProLiant XL450 Gen10
v1.32
U41
ProLiant ML350 Gen10
v1.32
I41
ProLiant BL460c Gen10
v1.32
I42
HPE Synergy 480 Gen10
v1.32
I43
HPE Synergy 660 Gen10
v1.32
U13
ProLiant XL230a Gen9, ProLiant XL250a Gen9
v2.56
U14
ProLiant XL170r Gen9, ProLiant XL190r Gen9
v2.56
U15
ProLiant DL60 Gen9, ProLiant DL80 Gen9
v2.56
U18
ProLiant XL730f Gen9,ProLiant XL740f Gen9, ProLiant XL750f Gen9
v2.56
U19
Apollo 4200 Gen9
v2.56
U20
ProLiant DL160 Gen9, ProLiant DL180 Gen9
v2.56
U21
ProLiant XL450 Gen9
v2.56
U25
ProLiant XL270d Accelerator Tray
v2.56
P85
ProLiant DL560 Gen9
v2.56
P86
ProLiant DL120 Gen9
v2.56
P89
ProLiant DL380 Gen9, ProLiant DL360 Gen9
v2.56
P92
ProLiant ML350 Gen9
v2.56
P95
ProLiant ML150 Gen9
v2.56
P99
ProLiant ML110 Gen9
v2.56
I36
ProLiant BL460c Gen9, ProLiant WS460c Gen9
v2.56
I37
HPE Synergy 480 Gen9
v2.56
I38
ProLiant BL660c Gen9
v2.56
I39
HPE Synergy 660 Gen9
v2.56
U24
ProLiant XL260a Gen9
v1.60
U26
ProLiant Thin Micro TM200
v2.56
H05
ProLiant m510 Server Cartridge
v1.64
U22
ProLiant DL20 Gen9
v2.56
U23
ProLiant ML30 Gen9
v2.56
H07
ProLiant m710x Server Cartridge
v1.64
H02
ProLiant m300 Server Cartridge
v01/22/2018
H04
ProLiant m350 Server Cartridge
v01/22/2018
H06
ProLiant m710p Server Cartridge
v01/22/2018
P78
ProLiant ML310e Gen8 v2
v01/22/2018
P80
ProLiant DL320e Gen8 v2
v01/22/2018
J10
ProLiant ML10 v2
v01/22/2018
H03
ProLiant m710 Server Cartridge
v01/22/2018
U17
ProLiant DL580 Gen9
v2.56
P79
ProLiant DL580 Gen8
v2.00 (02/22/2018)
I40
Synergy 620 and Synergy 680 Gen9 Compute Module
v2.56
I30
ProLiant BL420c Gen8
v01/22/2018
I31
ProLiant BL460c Gen8
v01/22/2018
I32
ProLiant BL660c Gen8
v01/22/2018
J02
ProLiant ML350e Gen8 and ProLiant ML350e Gen8 v2
v01/22/2018
J03
ProLiant DL160 Gen8
v01/22/2018
P70
ProLiant DL380p Gen8
v01/22/2018
P71
ProLiant DL360p Gen8
v01/22/2018
P72
ProLiant ML350p Gen8
v01/22/2018
P73
ProLiant DL360e Gen8 and ProLiant DL380e Gen8
v01/22/2018
P74
ProLiant SL4540 Gen8
v01/22/2018
P75
ProLiant SL230, SL250, and SL270 Gen8
v01/22/2018
P77
ProLiant DL560 Gen8
v01/22/2018
P83
ProLiant SL210t Gen8
v01/22/2018
P88
ProLiant ML10
v01/22/2018
J04
ProLiant ML310e Gen8
v01/22/2018
J05
ProLiant DL320e Gen8
v01/22/2018
J06
Microserver Gen8

v01/22/2018
P94
ProLiant XL220a Gen8 v2
v01/22/2018
I25
ProLiant BL620c G7, ProLiant BL680c G7
v02/23/2018
P65
ProLiant DL580 G7
v02/22/2018
P66
ProLiant DL980 G7

v02/22/2018
I27
ProLiant BL460c G7
v02/22/2018
I28
ProLiant BL490c G7
v02/22/2018
I29
ProLiant BL2x220c G7
v02/22/2018
P67
ProLiant DL380 G7
v02/22/2018
P68
ProLiant DL360 G7
v02/22/2018
P69
ProLiant SL390s G7
v02/22/2018
V67
ProLiant DL380 G7 SE

v02/22/2018
J01
ProLiant ML110 G7, ProLiant DL120 G7
v02/22/2018
D22
ProLiant ML350 G6
v02/22/2018
I21
ProLiant BL490c G6
v02/22/2018
I22
ProLiant BL280c G6
v02/22/2018
I24
ProLiant BL460c G6
v02/22/2018
I26
ProLiant BL2x220c G6

v02/22/2018
P62
ProLiant DL380 G6

v02/22/2018
P63
ProLiant ML370 G6, ProLiant DL370 G6

v02/22/2018
P64
ProLiant DL360 G6

v02/22/2018
W07
ProLiant ML330 G6, ProLiant DL320 G6
v02/22/2018

RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document .

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips Document .


Hardware Platforms Affected: HPE ProLiant ML30 Gen9 Server, HPE ProLiant DL20 Gen9 Server, HPE Synergy 660 Gen9 Compute Module, HPE ProLiant XL270d Gen9 Server, HPE ProLiant m710x Server Cartridge, HPE ProLiant DL360 Gen10 Server, HPE ProLiant BL460c Gen10 Server Blade, HPE Synergy 660 Gen10 Compute Module, HPE Synergy 480 Gen10 Compute Module, HPE ProLiant DL380 Gen10 Server, HPE ProLiant DL560 Gen10 Server, HPE ProLiant XL230k Gen10 Server, HPE ProLiant XL170r Gen10 Server, HPE ProLiant XL190r Gen10 Server, HPE ProLiant DL120 Gen10 Server, HPE ProLiant DL160 Gen10 Server, HPE ProLiant DL180 Gen10 Server, HPE ProLiant DL580 Gen10 Server, HPE ProLiant ML110 Gen10 Server, HPE ProLiant ML350 Gen10 Server, HPE ProLiant XL450 Gen10 Server, HPE ProLiant DL320e Gen8 v2 Server, HPE ProLiant ML310e Gen8 v2 Server, HPE ProLiant XL730f Gen9 Server, HPE ProLiant DL180 Gen9 Server, HPE ProLiant DL360 Gen9 Server, HPE ProLiant BL460c Gen9 Server Blade, HPE ProLiant DL380 Gen9 Server, HPE ProLiant ML350 Gen9 Server, HPE ProLiant XL230a Gen9 Server, HPE ProLiant XL250a Gen9 Server, HPE ProLiant XL740f Gen9 Server, HPE ProLiant XL750f Gen9 Server, HPE ProLiant DL120 Gen9 Server, HPE ProLiant ML150 Gen9 Server, HPE ProLiant DL60 Gen9 Server, HPE ProLiant DL80 Gen9 Server, HPE ProLiant ML110 Gen9 Server, HPE ProLiant XL170r Gen9 Server, HPE ProLiant XL190r Gen9 Server, HPE ProLiant WS460c Gen9 Graphics Server Blade, HPE ProLiant DL580 Gen9 Server, HPE ProLiant DL560 Gen9 Server, HPE Apollo 4200 Gen9 Server, HPE ProLiant XL450 Gen9 Server
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK2892
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!