Today, Intel disclosed a new set of speculative execution side-channel processor vulnerabilities affecting their processors. These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received three CVE identifiers:
CVE-2018-3615 impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.
CVE-2018-3620 impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.
CVE-2018-3646 impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1
These vulnerabilities derive from a flaw in Intel processors, in which operations performed by a processor while using speculative execution can result in a compromise of the confidentiality of data between threads executing on a physical CPU core.
As with other variants of speculative execution side-channel issues (i.e., Spectre and Meltdown), successful exploitation of L1TF vulnerabilities require the attacker to have the ability to run malicious code on the targeted systems. Therefore, L1TF vulnerabilities are not directly exploitable against servers which do not allow the execution of untrusted code.
While Oracle has not yet received reports of successful exploitation of this speculative execution side-channel issue “in the wild,” Oracle has worked with Intel and other industry partners to develop technical mitigations against these issues.
The technical steps Intel recommends to mitigate L1TF vulnerabilities on affected systems include:
Ensuring that affected Intel processors are running the latest Intel processor microcode. Intel reports that the microcode update it has released for the Spectre 3a (CVE-2018-3640) and Spectre 4 (CVE-2018-3639) vulnerabilities also contains the microcode instructions which can be used to mitigate the L1TF vulnerabilities. Updated microcode by itself is not sufficient to protect against L1TF.
Applying the necessary OS and virtualization software patches against affected systems. To be effective, OS patches will require the presence of the updated Intel processor microcode. This is because updated microcode by itself is not sufficient to protect against L1TF. Corresponding OS and virtualization software updates are also required to mitigate the L1TF vulnerabilities present in Intel processors.
Disabling Intel Hyper-Threading technology in some situations. Disabling HT alone is not sufficient for mitigating L1TF vulnerabilities. Disabling HT will result in significant performance degradation.
In response to the various L1TF Intel processor vulnerabilities:
Oracle recommends that administrators of x86-based Systems carefully assess the L1TF threat for their systems and implement the appropriate security mitigations.Oracle will provide specific guidance for Oracle Engineered Systems.
Oracle has determined that Oracle SPARC servers are not affected by the L1TF vulnerabilities.
Oracle has determined that Oracle Intel x86 Servers are not impacted by vulnerability CVE-2018-3615 because the processors in use with these systems do not make use of Intel Software Guard Extensions (SGX).
Oracle Operating Systems (Linux and Solaris) and Virtualization
Oracle has released security patches for Oracle Linux 7, Oracle Linux 6 and Oracle VM Server for X86 products. In addition to OS patches, customers should run the current version of the Intel microcode to mitigate these issues.
Oracle Linux customers can take advantage of Oracle Ksplice to apply these updates without needing to reboot their systems.
Oracle has determined that Oracle Solaris on x86 is not affected by vulnerabilities CVE-2018-3615 and CVE-2018-3620 regardless of the underlying Intel processor on these systems. It is however affected by vulnerability CVE-2018-3646 when using Kernel Zones. The necessary patches will be provided at a later date.
Oracle Solaris on SPARC is not affected by the L1TF vulnerabilities.
The Oracle Cloud Security and DevOps teams continue to work in collaboration with our industry partners on implementing the necessary mitigations to protect customer instances and data across all Oracle Cloud offerings: Oracle Cloud (IaaS, PaaS, SaaS), Oracle NetSuite, Oracle GBU Cloud Services, Oracle Data Cloud, and Oracle Managed Cloud Services.
Oracle’s first priority is to mitigate the risk of tenant-to-tenant attacks.
Oracle will notify and coordinate with the affected customers for any required maintenance activities as additional mitigating controls continue to be implemented.
Oracle has determined that a number of Oracle's cloud services are not affected by the L1TF vulnerabilities. They include Autonomous Data Warehouse service, which provides a fully managed database optimized for running data warehouse workloads, and Oracle Autonomous Transaction Processing service, which provides a fully managed database service optimized for running online transaction processing and mixed database workloads. No further action is required by customers of these services as both were found to require no additional mitigating controls based on service design and are not affected by the L1TF vulnerabilities (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646).
Bare metal instances in Oracle Cloud Infrastructure (OCI) Compute offer full control of a physical server and require no additional Oracle code to run. By design, the bare metal instances are isolated from other customer instances on the OCI network whether they be virtual machines or bare metal. However, for customers running their own virtualization stack on bare metal instances, the L1TF vulnerability could allow a virtual machine to access privileged information from the underlying hypervisor or other VMs on the same bare metal instance. These customers should review the Intel recommendations about vulnerabilities CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 and make changes to their configurations as they deem appropriate.
Note that many industry experts anticipate that new techniques leveraging these processor flaws will continue to be disclosed for the foreseeable future. Future speculative side-channel processor vulnerabilities are likely to continue to impact primarily operating systems and virtualization platforms, as addressing them will likely require software update and microcode update. Oracle therefore recommends that customers remain on current security release levels, including firmware, and applicable microcode updates (delivered as Firmware or OS patches), as well as software upgrades.
For more information:
The information in this blog entry is also published as MOS Note 2434830.1: “Information about the L1TF Intel processor vulnerabilities (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646)”
Solaris customers should refer to MOS 2434208.1 : “L1 Terminal Fault (CVE-2018-3615, CVE-2018-3620, & CVE-2018-3646) Vulnerabilities” and MOS 2434206.1 : “Disabling x86 Hyperthreading in Oracle Solaris”
Oracle x86 hardware customers should refer to MOS 2434171.1 : “L1 Terminal Fault (CVE-2018-3620, CVE-2018-3646) Vulnerabilities on Oracle x86 Servers”
For information about the availability of Intel microcode for Oracle hardware, see MOS Note 2406316.1: “CVE-2018-3640 (Spectre v3a), CVE-2018-3639 (Spectre v4) Vulnerabilities: Intel Processor Microcode Availability (Doc ID 2406316.1)”
The “Oracle Cloud Security Response to Intel L1TF Vulnerabilities” is located at https://docs.cloud.oracle.com/iaas/Content/Security/Reference/L1TF_response.htm
The “Oracle Cloud Infrastructure Customer Advisory for L1TF Impact on the Compute Service” is located at https://docs.cloud.oracle.com/iaas/Content/Security/Reference/L1TF_computeimpact.htm
The “Oracle Cloud Infrastructure Customer Advisory for L1TF Impact on the Database Service” is located at https://docs.cloud.oracle.com/iaas/Content/Security/Reference/L1TF_databaseimpact.htm