Oracle Database Appliance Patch Availability Document for CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754

Asset ID:	1-79-2377658.1
Update Date:	2018-05-24
Keywords:

Solution Type Predictive Self-Healing Sure

Solution 2377658.1 : Oracle Database Appliance Patch Availability Document for CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754

Applies to:

Oracle Database Appliance - Version All Versions to All Versions [Release All Releases]
Linux x86-64

Purpose

This document lists the status of Oracle Database Appliance with respect to the publicly disclosed CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) Intel processor vulnerabilities.

Details

Oracle recommends that you prevent as much as possible the execution of discretionary code from an untrusted source, which is a condition for the exploitation of vulnerabilities CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown). Oracle recommends that you review the privileges associated with your systems, and periodically review your security logs in light of these vulnerabilities (e.g., to identify newly-created accounts or newly-installed applications). Oracle will continue to investigate these vulnerabilities, and will produce additional patches to respond to these processor issues, if applicable, and in accordance with Oracle’s security update policies.

Oracle recommends that customers keep up with security patches for relevant operating systems, virtualization technologies, and related hardware when their respective vendors or maintainers release updated security patches.

The following table lists the minimum versions of Oracle Database Appliance Software required to resolve the vulnerabilities specified below. If you already have a higher version of the patch installed on your system, no further action is required.

Oracle Database Appliance Patch Availability Table

ODA Patch Version	CVE-2017-5715	CVE-2017-5753	CVE-2017-5754
12.2.1.3	Targeting 12.2.1.4	Included	Included
12.2.1.4 (target release timeframe: June/July 2018)	12.2.1.4 Note 1.	Included with 12.2.1.3	Included with 12.2.1.3

Note 1. ODA X7-2S/M/HA - Skypass CPU does not support retpoline, but does include microcode mitigation for CVE-2017-571

Verifying the Mitigation

For Bare Metal and ODA_BASE of ODA virtualized deployments

# cat /sys/devices/system/cpu/vulnerabilities/meltdown
Mitigation:PTI

# cat /sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: lfence

# cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
/* Output for ODA V1, X3-2, X4-2, X5-2, X6-2S, X6-2M, X6-2L, X6-2-HA */
Mitigation: Full generic retpoline, IBRS_FW, IBPB

/* Output for X7-2S, X7-2M, X7-2-HA */
Mitigation: IBRS, IBRS_FW, IBPB

Dom0 of ODA virtualized deployments:

# xm dmesg|grep -A3 "Speculative mitigation facilities" /*
Output for ODA V1, X3-2, X4-2, X5-2, X6-2S, X6-2M, X6-2L, X6-2-HA */
(XEN) Speculative mitigation facilities:
(XEN) Hardware features: SMEP IBRS/IBPB STIBP
(XEN) Compiled-in support: INDIRECT_THUNK
(XEN) BTI mitigations: Thunk RETPOLINE, Others: IBRS- IBPB SMEP RSB_VMEXIT RSB_NATIVE

/* Output for X7-2S, X7-2M, X7-2-HA */
(XEN) Speculative mitigation facilities:
(XEN) Hardware features: SMEP IBRS/IBPB STIBP
(XEN) Compiled-in support: INDIRECT_THUNK
(XEN) BTI mitigations: Thunk JMP, Others: IBRS+ IBPB SMEP RSB_VMEXIT RSB_NATIVE

Additional References:

https://blogs.oracle.com/linux/an-update-on-retpoline-enabled-kernels-for-oracle-linux-v2
Responding to the CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) vulnerabilities in Oracle Linux and Oracle VM on Oracle x86 Servers (Doc ID 2370398.1)

Attachments

This solution has no attachment