Today, Intel disclosed a new set of speculative execution side channel vulnerabilities, collectively referred as “Microarchitectural Data Sampling” (MDS). These vulnerabilities affect a number of Intel processors and have received four distinct CVE identifiers to reflect how they impact the different microarchitectural structures of the affected Intel processors:
While vulnerability CVE-2019-11091 has received a CVSS Base Score of 3.8, the other vulnerabilities have all been rated with a CVSS Base Score of 6.5. As a result of the flaw in the architecture of these processors, an attacker who can execute malicious code locally on an affected system can compromise the confidentiality of data previously handled on the same thread or compromise the confidentiality of data from other hyperthreads on the same processor as the thread where the malicious code executes. As a result, MDS vulnerabilities are not directly exploitable against servers that do not allow the execution of untrusted code.
These vulnerabilities are collectively referred as Microarchitectural Data Sampling issues (MDS issues) because they refer to issues related to microarchitectural structures of the Intel processors other than the level 1 data cache. The affected microarchitectural structures in the affected Intel processors are the Data Sampling Uncacheable Memory (uncacheable memory on some microprocessors utilizing speculative execution), the store buffers (temporary buffers to hold store addresses and data), the fill buffers (temporary buffers between CPU caches), and the load ports (temporary buffers used when loading data into registers). MDS issues are therefore distinct from the previously-disclosed Rogue Data Cache Load (RDCL) and L1 Terminal Fault (L1TF) issues.
Effectively mitigating these MDS vulnerabilities will require updates to Operating Systems and Virtualization software in addition to updated Intel CPU microcode.
While Oracle has not yet received reports of successful exploitation of these issues “in the wild,” Oracle has worked with Intel and other industry partners to develop technical mitigations against these issues.
In response to these MDS issues:
Oracle Operating Systems (Linux and Solaris) and Virtualization:
As previously anticipated, we continue to expect that new techniques leveraging speculative execution flaws in processors will continue to be disclosed. These issues are likely to continue to impact primarily operating systems and virtualization platforms and addressing these issues will likely continue to require software update and microcode update. Oracle therefore recommends that customers remain on current security release levels, including firmware, and applicable microcode updates (delivered as Firmware or OS patches), as well as software upgrades.
For more information:
Oracle Linux customers can refer to the bulletins located at https://linux.oracle.com/cve/CVE-2019-11091.html, https://linux.oracle.com/cve/CVE-2018-12126.html, https://linux.oracle.com/cve/CVE-2018-12130.html, https://linux.oracle.com/cve/CVE-2018-12127.html
For information about the availability of Intel microcode for Oracle hardware, see Intel MDS vulnerabilities (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127: Intel Processor Microcode Availability (Doc ID 2540606.1) and Intel MDS (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130 and CVE-2018-12127) Vulnerabilities in Oracle x86 Servers (Doc ID 2540621.1)
Oracle Solaris customers should refer to Intel MDS Vulnerabilities (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127): Oracle Solaris Impact (Doc ID 2540522.1)
Oracle Cloud Infrastructure (OCI) customers should refer to https://docs.cloud.oracle.com/iaas/Content/Security/Reference/MDS_response.htm