Print | Rate this content

Bulletin: (Revision) Mission Critical Systems - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00039773en_us

Version: 7

Bulletin: (Revision) Mission Critical Systems - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-08-02

Last Updated: 2018-08-01


DESCRIPTION

Document Version
Release Date
Details
7
08/01/2018
Updated the document with the latest information for SGI UV 2000.
6
05/08/2018
Updated the document with the latest available firmware information
5
04/13/2018
Updated the document with the latest available firmware information
4
03/20/2018
Updated the availability of Superdome Flex and ProLiant DL980 firmware.
3
01/29/2018
Updated version of the System ROM to revert to for Superdome Flex and added an update to the announcement timeline in the Description
2
01/22/2018
Updated with additional information
1
01/13/2018
Original document release

On January 3, 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities calls for both an Operating System update, provided by the OS vendor, and a System ROM update from HPE.

Intel has provided a high level statement here:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ Non-HPE site

Intel has informed HPE that Itanium is not impacted by these vulnerabilities.

For additional information:

https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&languageid=en-fr Non-HPE site

Operating System Vendor Response:

Red Hat:

https://access.redhat.com/security/vulnerabilities/speculativeexecution Non-HPE site

SuSE: https://www.suse.com/support/kb/doc/?id=7022512 Non-HPE site

On January 11, 2018, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for numerous processors including Broadwell and Haswell.

On January 17, 2018, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for numerous processors including Skylake, Kaby Lake, Ivybridge, and Sandybridge processors.

On January 22, 2018, Intel announced a recommendation to stop using the versions of the System ROMs that included the impacted microcode and to revert to a previous version of the System ROM, as detailed below.

Due to this issue, the System firmware updates for platforms supporting processors with impacted microcodes have been removed from the HPE support site. See the HPE Vulnerability Page for additional information.

Updated revisions of the System firmware for these platforms will be made available by HPE after Intel provides updated microcodes with a resolution for these issues.

Until the updated System firmware is available, HPE recommends reverting back to System Firmware as detailed in the Resolution below.

Update March 20, 2018: As Intel grants production microcode updates for the various processor families, HPE is testing and releasing firmware for the affected platforms. The chart below will be updated with the firmware as it becomes available.

SCOPE

The following products are impacted:

HPE Superdome Flex Server: Fixed in version 2.4.98. Download and apply OS updates and the firmware bundle as described in the Resolution section.

HPE Integrity Superdome X with BL920s Gen8 and Gen9 Server Blade: Fixed in bundle 2018.04 (firmware version 8.8.14). Download and apply OS updates and the firmware bundle as described in the Resolution section.

HPE Integrity MC990 X Servers: Fixed in version 2018.03. Download and apply OS retpoline updates and the firmware bundle as described in the Resolution section.

SGI UV 30, 300H, 300R and 30 EX Servers: Fixed in version 2018.03. For UV customers running RHEL and SLES, update to current kernels with retpoline support. Retpoline fully mitigates Spectre v2.For other UV customers who need a BIOS with updated microcode that mitigates Spectre-v2 in conjunction with kernel support, contact your HPE support representative.



SGI UV 3000: Fixed in version 2018.03. For UV customers running RHEL and SLES, update to current kernels with retpoline support. Retpoline fully mitigates Spectre v2.For other UV customers who need a BIOS with updated microcode that mitigates Spectre-v2 in conjunction with kernel support, contact your HPE support representative.



SGI UV 2000: Fixed in version 2018.07. For UV customers running RHEL and SLES, update to current kernels with retpoline support. Retpoline fully mitigates Spectre v2. For other UV customers who need a BIOS with updated microcode that mitigates Spectre-v2 in conjunction with kernel support, contact your HPE support representative.


SGI UV 100 and 1000 Servers: Fixed in version 2018.03. For UV customers running RHEL and SLES, update to current kernels with retpoline support. Retpoline fully mitigates Spectre v2.For other UV customers who need a BIOS with updated microcode that mitigates Spectre-v2 in conjunction with kernel support, contact your HPE support representative.

HPE ProLiant DL980 Gen7 Server: Fixed in version 02/22/2018. Download and apply OS updates and the firmware bundle as described in the Resolution section.

RESOLUTION

HPE recommends updating the operating system to current releases with retpoline support, to mitigate the Side Channel Analysis vulnerability.

In addition, complete mitigation of CVE-2017-5715 for all potential situations requires a System Firmware update. Tested and updated revisions of the System firmware for these platforms are being made available by HPE after Intel provides updated microcodes with a resolution for these issues.

Note: Some customers may have deployed System ROMs which have been removed from the HPE Support Site due to Intel reported microcode issues https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039784en_us HPE recommends that customers upgrade to the latest releases now available.

Firmware can be obtained as follows: https://support.hpe.com/hpesc/public/home

  1. Enter a product name (e.g., "Superdome Flex server") in the text search field and wait for a list of products to populate.
  2. From the products displayed, identify the desired product and click on the Drivers & software icon to the right of the product.
  3. From the Drivers & software dropdown menus on the left side of the page, Under Software Type, select "Firmware (Entitlement Required)". Note: Entitlement is not required for these firmware fixes.
  4. Select a Bundle.
  5. Click Download.

Operating System:

HPE Integrity Superdome X with BL920s Gen9 Server Blade, HPE Integrity Superdome X with BL920s Gen8 Server Blade: Apply updates supplied by the Operating System vendor.

WARNING: Some OS patches available for CVE-2017-5753 and CVE-2017-5754 are not compatible with the HPE Superdome Flex, MC990 X and the UV servers.

HPE is actively working with Red Hat and SUSE to provide updated kernels that boot on these servers and architectures.

Refer to this OS Patch advisory to obtain the latest list of compatible OS patches: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039468en_us




RECEIVE PROACTIVE UPDATES: Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP: For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document.

SEARCH TIP: For hints on locating similar documents on HPE.com, refer to the Search Tips Document.


Hardware Platforms Affected: HPE Integrity MC990 X Server, SGI UV 100, SGI UV 1000, SGI UV 2000, SGI UV 300H, SGI UV 300, SGI UV 3000, HPE Superdome Flex Server, HPE ProLiant DL980 G7 Server, HPE Superdome X Server
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK2926
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Bulletin: (Revision) Mission Critical Systems - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Document ID: emr_na-a00039773en_us-11
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.