Print | Rate this content

Bulletin: HPE Data Center Networking - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) aka "Meltdown" and "Spectre"

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00039640en_us

Version: 2

Bulletin: (Revise) HPE Data Center Networking - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) aka "Meltdown" and "Spectre"
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-01-12

Last Updated: 2018-01-13


DESCRIPTION

Document Version
Release Date
Details
2
01/11/2018
Revised to include more information about HPE iMC PLAT and Big Switch information.
1
01/09/2018
Original Document Release.

On 3 January 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE Data Center Networking products, potentially leading to information disclosure and elevation of privilege. Product specific mitigation steps will be available through the HPE Support Center, when available.

Intel has provided a high level statement here: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/  Non-HPE site

For additional information:
https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&languageid=en-fr  Non-HPE site

NOTE: One or more of the links above will take you outside the Hewlett Packard Enterprise web site. HPE does not control and is not responsible for information outside of the HPE web site.

IMPORTANT: : The products listed under "Hardware Platforms Affected" at the bottom of this Customer Bulletin are provided to identify the specific models of networking products to be notified. It is not intended to be a list of products affected by the specific vulnerability outlined in this bulletin. A list of affected products can be found in the body of this bulletin.

SCOPE

Altoline Products: The following Altoline products use the vulnerable Intel CPU:

Altoline 6940
Altoline 6920
Altoline 6960
Altoline 6941
Altoline 6921T
Altoline 6921

Arista Products: Arista Networks hardware and software products, including CVP and EOS are not exploitable by the above mentioned CVEs, with an assumption that Arista’s recommended security policies are in place. For more information:
https://www.arista.com/en/support/advisories-notices/security-advisories/4025-security-advisory-31 Non-HPE site

Big Switch – Big Cloud Fabric Controller, Big Monitoring Fabric Controller, Switch Light OS, Fabric Analytics, and Service Node do not execute untrusted/user-provided code. The user-facing APIs only accept declarative input (e.g., JSON), which cannot be used to trigger these vulnerabilities. Hence, Big Cloud Fabric and Big Monitoring Fabric products are not vulnerable. For more information, please contact Big Switch Networks support: https://www.bigswitch.com/support Non-HPE site

Comware FlexFabric Products are not vulnerable. This includes the following switch series:

5900/5920/5930/5940/5950/5980
5700/5800/5820/5830
12900/12900E/12500/11900/7900

Intelligent Management Center (IMC) Software Products are not vulnerable; these products are installed on either Windows Server or Linux Server based operating systems. The operating systems can be installed on a physical server or guest machine hosted by hypervisor.

HPE iMC PLAT and associated Modules including PLAT and other components are all applications installed on either a Windows Server or Linux server-based operating system. The operating system can be installed on a form of physical server or guest machine hosted by hypervisor. Therefore, HPE iMC products Modules are not in a form of operating system which manages CPU and memory resources, but an application requesting CPU and memory resources from its host operating system for consumption. HPE iMC products Modules are not affected by the vulnerability directly, and do not contribute any form of weakness for the vulnerability. However, if the operating system or hypervisor is vulnerable and untrusted users have access to the operating system or hypervisor, an attacker may be able to read memory contains HPE iMC products Module information. Contact your operating system or virtualization vendor to determine whether updates are available.

Operating System Vendor Responses:

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002  Non-HPE site

Red Hat: https://access.redhat.com/security/vulnerabilities/speculativeexecution  Non-HPE site

VMware: https://www.vmware.com/security/advisories/VMSA-2018-0002.html  Non-HPE site

NOTE: One or more of the links above will take you outside the Hewlett Packard Enterprise web site. HPE does not control and is not responsible for information outside of the HPE web site.

RESOLUTION

The products and mitigations in this advisory are being tracked on the HPE vulnerability website.




RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips document .


Hardware Platforms Affected: HPE Altoline 6900 Switch Series, HPE Altoline 6960 Switch Series, HPE FlexFabric 5950 Switch Series, HPE Altoline 6941 Switch Series, HPE Altoline 6921 Switch Series, HPE FlexFabric 5940 Switch Series, HPE Altoline 6800 Switch Series, HPE FlexFabric 5980 Switch Series, HPE FlexFabric 12500 Switch Series, HPE FlexFabric 5800 Switch Series, HPE FlexFabric 5820 Switch Series, HPE FlexFabric 5830 Switch Series, HPE FlexFabric 5900 Switch Series, HPE FlexFabric 5920 Switch Series, HPE FlexFabric 12900E Switch Series, HPE FlexFabric 5930 Switch Series, HPE FlexFabric 7900 Switch Series, HPE Altoline 6920 Switch Series, HPE Altoline 6940 Switch Series
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK2916
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Bulletin: HPE Data Center Networking - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) aka "Meltdown" and "Spectre"
Document ID: emr_na-a00039640en_us-5
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.