On March 10th 2020, security researchers published a paper titled “TRRespass: Exploiting the Many Sides of Target Row Refresh”. This paper describes a new kind of attack against certain DDR4 Dynamic Random Access Memory (DRAM) modules which were previously thought to be immune to RowHammer-style attacks.
Rowhammer issues result from unintended interactions between memory cells that are physically close together. These issues were first identified with DDR3 DIMMs memory modules, and the initial mitigations focused on the use of increased memory refresh rates. Starting with DDR4 however, DRAM suppliers embedded Rowhammer protection known as Targeted Row Refresh (TRR) inside the DRAM modules.
The March 10th paper describes variations of the original Rowhammer exploit, which can bypass the TRR defenses in some DDR4 DIMMs. The researchers have reported that the applicability of these techniques varies according to the DRAM design and manufacturing process. Note however that Rowhammer-derived attacks would require an attacker to have the ability to execute malicious code locally on the targeted machines.
At this point in time, Oracle has determined that:
Oracle is performing additional security testing using the new TRRespass technique. At this point in time, Oracle has not determined that this technique can be exploited against Oracle SPARC servers or Oracle x86 servers, including those used in Oracle Cloud Infrastructure and Oracle Exadata Engineered systems.
It is important to remember that any Rowhammer or derivative attacks, such as the new TRRespass technique, requires that an attacker be able to locally execute malicious code against the targeted system. Therefore, Oracle recommends that customers follow good security practices including maintaining least privilege principles and keeping operating system software and firmware up to date
Oracle will continue to investigate these issues and will provide, as needed, updated information to customers on My Oracle Support. For more information about Oracle Corporate Security Practices, see https://www.oracle.com/corporate/security-practices/