Print | Rate this content

Bulletin: (Revision) HPE Hyper Converged 380, HyperConverged 250 for VMware and Microsoft and HPE ConvergedSystem 200-HC StoreVirtual- Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00041797en_us

Version: 2

Bulletin: (Revision) HPE Hyper Converged 380, HyperConverged 250 for VMware and Microsoft and HPE ConvergedSystem 200-HC StoreVirtual- Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-04-20

Last Updated: 2018-04-24


DESCRIPTION

Document Version
Release Date
Details
2
04/20/2018
Updated Resolution section with links to fixes and added the product HPE ConvergedSystem 200 HC-StoreVirtual
1
02/15/2018
Original Document Release

On January 3, 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. (CVE-2017-5715, CVE-2017-5753, CVE-201) These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities calls for a HPE firmware update, and either a VMware ESXi update and VMware vCenter update or Microsoft Patch & Update release 1712.

Intel has provided a high level statement here:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ Non-HPE site

For additional information:

https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&languageid=en-fr Non-HPE site

Operating System Vendor Response:

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 Non-HPE site

VMware: https://www.vmware.com/security/advisories/VMSA-2018-0002.html Non-HPE site

SCOPE

Any of the following:

  • HPE Hyper Converged 380
  • HPE Hyper Converged 250 System for VMware vSphere
  • HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard
  • HPE ConvergedSystem 200-HC StoreVirtual System

RESOLUTION

HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard

BIOS version 2.56_01-22-2018(B)(23 Feb 2018) is now available to address the microprocessor vulnerability, Spectre Variant 2 (CVE-2017-5715). Download the online ROM flash component from https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_f59de6f813e0437ab0d900f687

To install BIOS v2.56, follow the installation procedure found on the Installation Instructions tab.

This bulletin will be updated as additional updates becomes available.

HPE Hyper Converged 250 Systems for VMware vSphere and HPE Hyper Converged 380

Service Pack for ProLiant (SPP) version 2.56_01-22-2018(B)(23 Feb 2018) is now available with ROM updates to address the microprocessor vulnerability Spectre Variant 2 (CVE-2017-5715) on HPE Hyper Converged 250 Systems for VMware vSphere and HPE Hyper Converged 380 systems. Download the SPP from https://support.hpe.com/hpsc/swd/public/detail?sp4ts.oid=1008862748&swItemId=MTX_277a21fda98849af92ee742e61&swEnvOid=4184#tab1

To install the SPP, follow the instructions found in the HPE Hyper Converged 250 System for VMware vSphere User Guide or the HPE Hyper Converged 380 Upgrade Guide.

This bulletin will be updated as additional updates become available.

HPE ConvergedSystem 200-HC StoreVirtual Systems

HPE Engineering is currently in the process of qualifying the necessary combination of updates for the HPE ConvergedSystem 200-HC StoreVirtual products. This communication will be updated with further information as it becomes available.

Communications for similar products:

HPE SimpliVity 380, SimpliVity OmniCube, SimpliVity OmniStack For Cisco, Dell Or Lenovo: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039632en_us

HPE ProLiant for Microsoft Azure Stack: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00042741en_us

Communications for similar products:

HPE SimpliVity 380, SimpliVity OmniCube, SimpliVity OmniStack For Cisco, Dell Or Lenovo: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039632en_us

This Bulletin will be updated when additional solutions become available.


Hardware Platforms Affected: HPE Hyper Converged 380, HPE Hyper Converged 250 System for VMware vSphere, HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard, HPE ConvergedSystem 200-HC EVO:RAIL SFP+ Appliance for VMware
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK3044
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Bulletin: (Revision) HPE Hyper Converged 380, HyperConverged 250 for VMware and Microsoft and HPE ConvergedSystem 200-HC StoreVirtual- Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors
Document ID: emr_na-a00041797en_us-3
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.