Print | Rate this content

Bulletin: HPE Helion OpenStack – Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00039782en_us

Version: 1

Bulletin: HPE Helion OpenStack – Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-01-13

Last Updated: 2018-01-13


DESCRIPTION

On January 3, 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities calls for both an Operating System update, provided by the OS vendor, and a System ROM update from HPE.

Intel has provided a high level statement here:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings Non-HPE site

For additional information:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Non-HPE site

Processor Vendor Response: AMD: http://www.amd.com/en/corporate/speculative-execution  Non-HPE site

ARM Holdings: https://developer.arm.com/support/security-update Non-HPE site

The Side-Channel (also known as Meltdown and Spectre) hardware vulnerabilities involving speculative execution can result in exposure of kernel memory by user code running on a system or in a virtual machine.

These vulnerabilities may impact Helion OpenStack deployments, potentially leading to information disclosure. Passwords or other secrets discovered in kernel memory could then be used by intruders to perform privilege escalation, resulting in further system compromise and data exposure. If a user or an intruder can gain user-level access to a HOS server or virtual machine and run code of their own choosing, then they could potentially exploit this vulnerability.

SCOPE

The currently supported versions of Helion OpenStack (3.0, 4.0, and 5.0) use an HPE Linux distribution (hLinux) as the underlying control plane operating system.

In addition, customers have the option to use one or more hypervisors from HPE, VMware, Red Hat, or SUSE for their multi-tenant compute infrastructure. HPE is working to incorporate the latest upstream kernel patches into hLinux in order to provide updated Helion OpenStack distributions for each of our releases. This process is expected to take several weeks to complete.

Customers should also apply third-party security patches in accordance with the customer’s patch management policy based on their specific environment.

RESOLUTION

Mitigation and resolution of these vulnerabilities may call for both an Operating System update provided by the OS vendor, and a System ROM update provided by the server vendor, as well as kernel patches.

In the meantime, users can maximize the overall security of their Helion OpenStack deployment and thereby mitigate the risk through the defense-in-depth characteristics of the Helion OpenStack environment.

  • Verify that your configuration uses strong network separation (such as the "Mid-scale KVM with VSA Model" via the guidance at

    https://docs.hpcloud.com/hos-5.x/helion/architecture/example_configurations.html

    , rather than less secure configurations with flat network deployment or system services listening to external or untrusted networks.
  • Verify that your HOS servers for controller services are separate from compute servers so if an application on a compute server’s VM was compromised, controller services are not exposed.
  • Verify that only trusted administrators have login access to HOS servers, and only authorized users have access to HOS virtual machines.

Verify the security of your applications, since a vulnerability allowing user-level access by an intruder could potentially be leveraged to exploit Meltdown or Spectre.

  • Verify that your applications have current patches against vulnerabilities.
  • If your applications allow launching a command line or shell, consider disabling that feature even if it is designed to be used only by authorized personnel.

Apply patches for Meltdown and Spectre as they become available:

  • If running ESX workloads, refer to VMware for Meltdown and Spectre patches.
  • If running RHEL workloads, refer to Red Hat for patches.
  • If running SLES workloads (HOS 5) reach out to SUSE Linux for patches.
  • Apply HOS patches as they become available.

This Bulletin will be updated as the patches become available.

RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document .

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips Document .


Hardware Platforms Affected: HPE Helion OpenStack
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK2925
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Bulletin: HPE Helion OpenStack – Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Document ID: emr_na-a00039782en_us-1
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.