This alert will replace alert 3191 which described the "Meltdown" and "Spectre" vulnerability. The reason this alert is replacing 3191 is to focus on ESX/VMware ftServer systems and keep it focused for those customers.
The "Meltdown" and "Spectre" vulnerabilities exploit a processor feature called speculative execution which could potentially gain access to sensitive information. These vulnerabilities are not a Stratus related issue but a modern processor issue.
UPDATE 3/11/2019: ESX patch Update & Relevant BIOS/BMC Firmware:
- BIOS 8.1.75 released for ftServer Models 2800, 4800 and 6800 that contains fix for Spectre Variant 2 (3238)
- BIOS 8.1.77 released for ftServer Models 2800, 4800 and 6800 that contains fix for Spectre Variant 2, 3a & 4 (Alert 3239)
- BIOS 9.1.32 released for ftServer Models 2810, 4810 and 6810 that contains fix for Spectre Variant 2 (Alert 3240)
- BIOS 9.1.33 released for ftServer Models 2810, 4810 and 6810 that contains fix for Spectre Variant 2, 3a & 4 (Alert 3237)
- The attached file (ESX_ProductMatrix-11Mar2019.pdf) has been updated with the latest approved ESX, AUL fixes.
UPDATED - 2/7/2018, see the following sections
Note: This alert will no longer be sent out weekly. It will only be sent if there is a change to be noted.
Many Stratus ftServer and V-Series systems are exposed to this vulnerability based on the processors listed by Intel. However please note that Intel has stated that all IA86 chips are affected by these vulnerabilities.
Stratus product families which use the different Intel chips:
Intel Chip Stratus Name Product Family
Broadwell Pegasus-B ft2810, ft4810, ft6810
Haswell Pegasus ft2800, ft4800, ft6800, ft6805
Ivy Bridge Cygnus-I ft2710, ft4710, ft6410
Sandy Bridge Cygnus ft2700, ft4700, ft6400
Westmere Draco-W ft6310
Nehalem Draco ft2600, ft4500, ft6300, V2404
Harpertown Fusion-H ft2510, ft4410, ft6210
IA86 Stratus Product Family that maybe affected but not listed by Intel:
Woodcrest Fusion ft2500, ft4400
Clovertown Fusion ft6200
Paxville Aria ft2400, ft4300,ft4600, ft5700
Gallatin Sonic ft3300,ft5600,ft6600
Independent security researchers have demonstrated a method by which malicious code running locally in user mode on a normally operating platform can access sensitive data values from memory.
The term side-channel attack is often used to describe the class of techniques that include this newly-reported vulnerability. The attack relies upon deducing the value of a bit of data in kernel memory by exploiting a complex code path that, when speculatively executed, uses the targeted bit of data to speculatively load (or not) an internal processor cache. By subsequently performing an operation whose timing varies depending on the contents of the internal processor cache, the malicious code can determine the value of the targeted bit of data. With a sufficient number of iterations of this method, the value of an arbitrary number of bits can be deduced. This attack is unable to modify kernel data.
Existing proof-of-concept exploits are targeted at commodity operating systems.
ftServer systems running VMware are exposed.
To mitigate the risk of a security breach and potential loss of sensitive information, it is important for Stratus customers to update their systems once Stratus approves the necessary updates.
Stratus customers must ONLY use Stratus approved and provided microcode and operating system updates for their systems. DO NOT use updates directly provided by VMware unless Stratus has approved that update because updates and patches must go through a rigorous testing and qualification processes. Stratus is currently working with its vendors to identify and qualify necessary fixes. More information will be provided as it becomes available, and distributed to customers by an update to this alert.
Once Stratus approves updates for the vulnerabilities, customers should apply them as soon as possible.
Successful exploitation of the vulnerabilities rests upon the ability to compile and execute arbitrary user-mode programs or web content.
All customers should limit access to production systems to just the personnel necessary to operate and maintain the production systems, and should audit their production systems on a regular basis to ensure that unauthorised software programs are not present. Customers should work closely with third-party software providers to ensure the provenance of software products that they provide.
There are 2 components to address these vulnerabilities. There is an OS update fix and a microcode fix. The OS update is not directly dependent on the microcode change and can be applied when available. The OS changes and the recommended BIOS update address the following identified CVE's
- Variant 1: bounds check bypass CVE-2017-5753 aka Spectre
- Variant 2: branch target injection CVE-2017-5715 aka Spectre
- Variant 3: rogue data cache load CVE-2017-5754 aka Meltdown
- Variant 3a: Rogue System Register Read CVE-2018-3640
- Variant 4: Speculative Store Bypass CVE-2018-3639
The OS update has fixes necessary for all 4 variants. However the required fix for variant 2, 3a and 4 requires the microcode fix for the OS changes to take advantage of those fixes. The other variant fixes are part of the OS and do not require the microcode fix.
The Stratus products noted in the section "Sites Affected" called Fusion, Draco, Cygnus will NOT have a microcode fix provided by Intel. This means variant 2, 3a and 4 can not be addressed by the vendor OS fixes but variant 1 & 3 are addressed by an available fix.
Please see the attached Product Matrix pdf file for the availability of the various OS and microcode releases. The Product Matrix pdf file will be updated as more releases become available.
This alert will be updated and sent out weekly, at end of business on Wednesday as Stratus gets the vendor OS version updates for this vulnerability and has completed testing.
The summary section of the alert will note what sections are updated each week as the alert gets sent out. The alert will continue to be sent out as OS changes take place up until the microcode becomes available which will complete the entire fix for this vulnerability.
See attachment "ESX_ProductMatrix-11Mar2019.pdf" to see the availability of the various OS and microcode releases. The Product Matrix pdf file will be updated as more releases become available.
This alert will be updated and sent out weekly, at end of business on Wednesday as Stratus testing completes for this vulnerability. The alert will continue to be sent out as OS changes take place up until the microcode becomes available which will complete the entire fix for this vulnerability.
Update note 1/31:
VMware rollbacked the (6.5) ESXi650-201801402-BG and (6.0) ESXi600-201801402-BG patches that contain the flawed Intel CPU microcode. However, installing new microcode packages on our ftServers doesnt result in the bogus microcode being loaded onto the CPUs, it is benign on ftServer.
The January patch bundles are not available for download any longer. The patch bundles available on the VMware site are now ESXi650-201712001 for 6.5 U1 and ESXi600-201711001 for 6.0 U3, see the Matrix