Patch Availability for CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) vulnerabilities on Oracle Exalogic Linux Physical and Virtual Racks

Asset ID:	1-79-2348852.1
Update Date:	2018-05-29
Keywords:

Solution Type Predictive Self-Healing Sure

Solution 2348852.1 : Patch Availability for CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) vulnerabilities on Oracle Exalogic Linux Physical and Virtual Racks

Applies to:

Oracle Exalogic Elastic Cloud Software - Version 2.0.0.0.0 to 2.0.6.3.180116
Exalogic Elastic Cloud X4-2 Quarter Rack - Version X4 to X4 [Release X4]
Linux x86-64
Oracle Virtual Server(x86-64)

Purpose

This document provides information on versions of Exalogic Linux Physical and Virtual environments affected by CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) vulnerabilities and instructions on how to remediate the vulnerabilities on Compute Nodes and vServers.

NOTE

About performance impact resulting from the current mitigation measures against the CVE-2017-5753 (Spectre v1) and CVE-2017-5754 (Meltdown) processor vulnerabilities on Oracle Exalogic, please review following document:

Performance impact of mitigation measures against CVE-2017-5753 and CVE-2017-5754 on Oracle Exalogic (Doc ID 2387546.1)

Scope

Details

Affected Exalogic Releases

All releases of EECS for Exalogic Physical Linux.
All releases of EECS for Exalogic Virtual.

Exalogic Physical Linux

Compute Nodes running Oracle Linux 7.x

The EECS 2.0.6.4.0 OL7 Physical Linux release includes fixes for CVE-2017-5753 (Spectre v1) and CVE-2017-5754 (Meltdown).

To remediate CVE-2017-5715 (Spectre v2) upgrade the ILOM on all compute nodes to the respective fixed versions for various compute nodes, as described in the following document:

CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) Vulnerabilities : Intel Processor Microcode Availability Document (Doc ID 2370428.1)

Specifically:

For Exalogic X6-2 nodes, upgrade ILOM/BIOS to v4.0.2.26.a r123797/39.10.03.00
For Exalogic X5-2 nodes, upgrade ILOM/BIOS to v4.0.2.26.a r123797/30.13.04.00
For Exalogic X4-2 nodes, upgrade ILOM/BIOS to v4.0.2.27.a r123795/25.06.03.00
For Exalogic X3-2 nodes, upgrade ILOM/BIOS to v4.0.2.27 r124478/17.14.02.00
For Exalogic X2-2 nodes, upgrade ILOM/BIOS to v3.2.11.20.a r123801/08.14.01.14

NOTE

Following the ILOM/BIOS upgrade, CheckHWnFWProfile will display failures relative to ILOM and BIOS version checks. These failures may be ignored.

The above ILOM/BIOS fixes are included in April 2018 PSU, except X2-2. So for X2-2 please upgrade the ILOM/BIOS with the above version.

On instructions of upgrading the Compute Node ILOMs, please review Exalogic: Upgrading Compute Node ILOM in Physical and Virtual Configurations (Doc ID 2396658.1)

Compute Nodes running Oracle Linux 6.x

The OL6 Physical Linux OS patch to remediate CVE-2017-5753 (Spectre v1) and CVE-2017-5754 (Meltdown) is applicable to EECS 2.0.6.2.0 and higher: Patch 27356394

To remediate CVE-2017-5715 (Spectre v2), upgrade the ILOM on all compute nodes to the respective fixed versions for various compute nodes, as described in the following document:

CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) Vulnerabilities : Intel Processor Microcode Availability Document (Doc ID 2370428.1)

Specifically:

For Exalogic X6-2 nodes, upgrade ILOM/BIOS to v4.0.2.26.a r123797/39.10.03.00
For Exalogic X5-2 nodes, upgrade ILOM/BIOS to v4.0.2.26.a r123797/30.13.04.00
For Exalogic X4-2 nodes, upgrade ILOM/BIOS to v4.0.2.27.a r123795/25.06.03.00
For Exalogic X3-2 nodes, upgrade ILOM/BIOS to v4.0.2.27 r124478/17.14.02.00
For Exalogic X2-2 nodes, upgrade ILOM/BIOS to v3.2.11.20.a r123801/08.14.01.14

NOTE

The OL6 fix is included in Exalogic April 2018 PSU.

Compute Nodes running Oracle Linux 5.x

For CVE-2017-5753 (Spectre v1) and CVE-2017-5754 (Meltdown) fixes for the OS, see Oracle Linux 5 (i.e. OL5) Remediation Guidelines.

To remediate CVE-2017-5715 (Spectre v2), upgrade the ILOM on all compute nodes to the respective fixed versions for various compute nodes, as described in the following MOS note:

CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) Vulnerabilities : Intel Processor Microcode Availability Document (Doc ID 2370428.1)

Specifically:

For Exalogic X6-2 nodes, upgrade ILOM/BIOS to v4.0.2.26.a r123797/39.10.03.00
For Exalogic X5-2 nodes, upgrade ILOM/BIOS to v4.0.2.26.a r123797/30.13.04.00
For Exalogic X4-2 nodes, upgrade ILOM/BIOS to v4.0.2.27.a r123795/25.06.03.00
For Exalogic X3-2 nodes, upgrade ILOM/BIOS to v4.0.2.27 r124478/17.14.02.00
For Exalogic X2-2 nodes, upgrade ILOM/BIOS to v3.2.11.20.a r123801/08.14.01.14

NOTE

Following the ILOM/BIOS upgrade, CheckHWnFWProfile will display failures relative to ILOM and BIOS version checks. These failures may be ignored.

The above ILOM/BIOS fixes are included in Exalogic April 2018 PSU, except X2-2. So for X2-2 please upgrade the ILOM/BIOS with the above version.

On instructions of upgrading the Compute Node ILOMs, please review Exalogic: Upgrading Compute Node ILOM in Physical and Virtual Configurations (Doc ID 2396658.1)

INTERNAL SUPPORT NOTE

The OL5 Physical Linux patch is applicable to EECS 2.0.6.2.0 and higher: Patch 27356388

The above OL5 patch, currently configured to be Distributed by Development (not Support).

Please contact Exalogic SCG Engineer(s) if you get a Service Request for OL5 patch from customers who have paid for Extended Support for OL5.

Exalogic Virtual

Compute nodes (dom0)

The dom0 patch is applicable to the following versions running within EECS versions: Patch 27912482

2.0.6.2.170418 (Apr 2017 PSU)
2.0.6.3.170718 (Jul 2017 PSU)
2.0.6.3.171017 (Oct 2017 PSU)
2.0.6.3.180116 (Jan 2018 PSU)
2.0.6.3.180417 (Apr 2018 PSU)

NOTE

This patch is not applicable to dom0 nodes running EECS 2.0.6.3.0 or running EECS versions earlier than Apr 2017 PSU.

This patch delivers kernel and xen updates.

To remediate CVE-2017-5715 (Spectre v2), upgrade the ILOM on all compute nodes to the respective fixed versions for various compute nodes, as described in the following MOS note:

CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) Vulnerabilities : Intel Processor Microcode Availability Document (Doc ID 2370428.1)

Specifically:

For Exalogic X6-2 nodes, upgrade ILOM/BIOS to v4.0.2.26.a r123797/39.10.03.00
For Exalogic X5-2 nodes, upgrade ILOM/BIOS to v4.0.2.26.a r123797/30.13.04.00
For Exalogic X4-2 nodes, upgrade ILOM/BIOS to v4.0.2.27.a r123795/25.06.03.00
For Exalogic X3-2 nodes, upgrade ILOM/BIOS to v4.0.2.27 r124478/17.14.02.00
For Exalogic X2-2 nodes, upgrade ILOM/BIOS to v3.2.11.20.a r123801/08.14.01.14

NOTE

Following the ILOM/BIOS upgrade, CheckHWnFWProfile will display failures relative to ILOM and BIOS version checks. These failures may be ignored.

The above ILOM/BIOS fixes are included in Exalogic April 2018 PSU, except X2-2. So for X2-2 please upgrade the ILOM/BIOS with the above version.

On instructions of upgrading the Compute Node ILOMs, please review Exalogic: Upgrading Compute Node ILOM in Physical and Virtual Configurations (Doc ID 2396658.1)

Guest vServers running Oracle Linux 6.x

The patch is applicable to the following versions running within OL6 vServers: Patch 27356293

2.0.6.2.170418 (Apr 2017 PSU)
2.0.6.3.170718 (Jul 2017 PSU)
2.0.6.3.171017 (Oct 2017 PSU)
2.0.6.3.180116 (Jan 2018 PSU)

NOTE

This patch is not applicable to OL6 guest vServers running 2.0.6.3.0 or to guest vServers running EECS versions earlier than Apr 2017 PSU. The OL6 fix is included in Exalogic April 2018 PSU

Guest vServers running Oracle Linux 5.x

See Section Oracle Linux 5 (i.e. OL5) Remediation Guidelines

INTERNAL SUPPORT NOTE

The OL5 Guest vServer patch is applicable to following EEST versions: Patch 27356283

2.0.6.2.170418 (Apr 2017 PSU)
2.0.6.3.170718 (Jul 2017 PSU)
2.0.6.3.171017 (Oct 2017 PSU)
2.0.6.3.180116 (Jan 2018 PSU)

The above OL5 patch, currently configured to be Distributed by Development (not Support).

Please contact Exalogic SCG Engineer(s) if you get a Service Request for OL5 patch from customers who have paid for Extended Support for OL5.

Exalogic Control vServers

The Exalogic Control vServers (i.e. EC, PC1 and PC2) patch is applicable to the following EEST versions: Patch 27523690

2.0.6.2.170418 (Apr 2017 PSU)
2.0.6.3.170718 (Jul 2017 PSU)
2.0.6.3.171017 (Oct 2017 PSU)
2.0.6.3.180116 (Jan 2018 PSU)

NOTE

The Exalogic Control Stack fixes are included in Exalogic April 2018 PSU

IMPORTANT

If the guest vServers / Control Stack vServers / Compute Nodes are applied with Spectre and Meltdown OS Linux Patches from this Document.

Those above patched OS components are upgraded to the latest PSU (i.e. lower than April 2018 PSU), then the corresponding Spectre and Meltdown OS Linux Patches needs to be re-applied.

Patch re-application fails with an error "Patch XXXXXX is already applied. Exiting..."

For example, the OL6 guest will fail as follows:

[root@OL6-VM ~]# cd /root/27356293/BaseTemplate/2.0.6.2.x/scripts/
[root@OL6-VM scripts]# ./egbt_patch.sh
INFO: Thu May 17 11:09:13 EDT 2018: Guest vServer template version: 2.0.6.3.180116
INFO: Thu May 17 11:09:13 EDT 2018: Patch 27356293 is already applied. Exiting...
[root@OL6-VM scripts]#

To fix this issue, you need to re-apply the corresponding patch with --force option.

For example:

[root@OL6-VM ~]# cd /root/27356293/BaseTemplate/2.0.6.2.x/scripts/
[root@OL6-VM scripts]# ./egbt_patch.sh --force

Oracle Linux 5 (i.e. OL5) Remediation Guidelines

Please refer to the following MOS note for Exalogic:

Oracle Linux 5 Lifetime Support Policy on Exalogic (Doc ID 2242435.1)

As mentioned in the Doc ID 2242435.1, Oracle Linux 5 reached its end of Premier Support in June 2017. Per policy, customers who have not migrated onto newer versions of the OS can utilize Extended and Sustaining Support for OL5.

Fixes for CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) for OL5 are released through Extended Support channels. Exalogic customers who need this remediation for their OL5 compute nodes (Physical config) or OL5 Guest vServers (Virtual config) need to purchase Extended Support for OL5. We recommend that you work with your Account team to engage Support Sales Reps to discuss details of Extended Support.

If you have already purchased Extended Support for OL5, please indicate so over your Service Request; we will subsequently provide you with the patches for OL5 over your Service Request.

As also mentioned in the above Doc ID 2242435.1, the end of Premier Support for OL5 does not apply to Oracle VM Server 3.2.x running on compute nodes (dom0) in Exalogic Virtual.

References

<NOTE:2370428.1> - CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) Vulnerabilities : Intel Processor Microcode Availability Document
<NOTE:2370398.1> - Responding to the CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) vulnerabilities in Oracle Linux and Oracle VM on Oracle x86 Servers
<NOTE:2387546.1> - Performance impact of mitigation measures against CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) on Oracle Exalogic
<NOTE:2242435.1> - Oracle Linux 5 Lifetime Support Policy on Exalogic
<NOTE:2010538.1> - Information Related to Oracle’s Handling of Linux Security Fixes Prior to their Availability on Certain Oracle-Engineered Systems
<NOTE:2008890.1> - Master Note: Exalogic Security Vulnerabilities
<NOTE:2347948.1> - Addendum to the January 2018 CPU Advisory for Spectre (CVE-2017-5715, CVE-2017-5753) and Meltdown (CVE-2017-5754) vulnerabilities
<NOTE:2396658.1> - Exalogic: Upgrading Compute Node ILOM in Physical and Virtual Configurations

Attachments

This solution has no attachment