Print | Rate this content

Bulletin: (Revision) HPE Hyper Converged and HPE ConvergedSystem 200-HC StoreVirtual Products - Side Channel Analysis, Speculative Store Bypass, Rogue Register Load, and L1 Terminal Fault Vulnerabilities

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00041797en_us

Version: 3

Bulletin: (Revision) HPE Hyper Converged and HPE ConvergedSystem 200-HC StoreVirtual Products - Side Channel Analysis, Speculative Store Bypass, Rogue Register Load, and L1 Terminal Fault Vulnerabilities
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-02-15

Last Updated: 2018-12-21


DESCRIPTION

Document Version
Release Date
Details
3
12/20/2018
Updated entire document with the latest information and added additional vulnerability information
2
04/20/2018
Updated Resolution section with links to fixes and added the product HPE ConvergedSystem 200 HC-StoreVirtual
1
02/15/2018
Original Document Release

On January 3, 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754). Subsequently, the Speculative Store Bypass and Rogue Register Load vulnerabilities (CVE-2018-3639, CVE-2018-3640) were disclosed on 22 May 2018 and the L1 Terminal Faults vulnerabilities (CVE-2018-3615, CVE-2108-3620, CVE-2018-3646) were disclosed on 14 August 2018.

These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and unauthorized elevation of privilege. Mitigation and resolution of these vulnerabilities calls for an HPE firmware update, and either VMware ESXi and VMware vCenter updates or Microsoft Patch & Update release 1803.

Intel has provided a high level statement here:

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ Non-HPE site

For additional information:

https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&languageid=en-fr Non-HPE site

Operating System Vendor Response:

Microsoft:

VMware:

SCOPE

Any of the following:

  • HPE Hyper Converged 380
  • HPE Hyper Converged 250 System for VMware vSphere
  • HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard
  • HPE ConvergedSystem 200-HC StoreVirtual System

RESOLUTION

HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard

Microsoft Patch & Update release 1803, including BIOS version 2.60 05-22-2018, is available to address the vulnerabilities listed above.

For more information related to Patch & Update 1803, see the HPE Hyper Converged 250 System for Microsoft CPS Matrix of Qualified Software and Firmware at: https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=1008873541&docLocale=en_US&docId=emr_na-a00050084en_us

HPE Hyper Converged 250 Systems for VMware vSphere and HPE Hyper Converged 380

Resolve the vulnerabilities listed above by installing and/or updating the HPE Customized ESXi image, VMware vCenter Server version, and HPE SPP Firmware components as indicated in the HPE Hyper Converged 250 System for VMware vSphere Matrix of qualified software and firmware published November 2018 or later:

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=1008631329&docLocale=en_US&docId=emr_na-a00026956en_us

and the HPE Hyper Converged 380 Firmware and Software Compatibility Matrix published November 2018 or later:

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=1008793445&docLocale=en_US&docId=emr_na-c05102848 ).

HPE Service Pack for ProLiant (SPP) version 2018.09.0 can be downloaded from http://h17007.www1.hpe.com/us/en/enterprise/servers/products/service_pack/spp/index.aspx?version=2018.09.0 .

To install the SPP, follow the instructions found in the HPE Hyper Converged 250 System for VMware vSphere User Guide or the HPE Hyper Converged 380 Upgrade Guide.

HPE ConvergedSystem 200-HC StoreVirtual Systems

Resolve the vulnerabilities listed above by installing and/or updating the HPE Customized ESXi image, VMware vCenter Server version, and HPE SPP Firmware components as indicated in the HPE ConvergedSystem 200-HC StoreVirtual Matrix of qualified software and firmware:

https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=7588764&docLocale=en_US&docId=emr_na-a00049172en_us

HPE SPP post-production version Gen8.1can be downloaded from http://h17007.www1.hpe.com/us/en/enterprise/servers/products/service_pack/spp/index.aspx?version=Gen8.1 .

Communications for similar products:

HPE SimpliVity 380, SimpliVity OmniCube, SimpliVity OmniStack For Cisco, Dell Or Lenovo: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039632en_us

HPE ProLiant for Microsoft Azure Stack:

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00042741en_us


Hardware Platforms Affected: HPE ConvergedSystem 250-HC StoreVirtual System, HPE Hyper Converged 380, HPE Hyper Converged 250 System for VMware vSphere, HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard, HPE ConvergedSystem 200-HC StoreVirtual System
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK3044
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Bulletin: (Revision) HPE Hyper Converged and HPE ConvergedSystem 200-HC StoreVirtual Products - Side Channel Analysis, Speculative Store Bypass, Rogue Register Load, and L1 Terminal Fault Vulnerabilities
Document ID: emr_na-a00041797en_us-4
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.