Oracle SuperCluster — Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Vulnerabilities

Asset ID:	1-79-2386256.1
Update Date:	2018-04-24
Keywords:

Solution Type Predictive Self-Healing Sure

Solution 2386256.1 : Oracle SuperCluster — Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Vulnerabilities

Applies to:

Oracle SuperCluster M8 Hardware
Oracle SuperCluster M7 Hardware
Oracle SuperCluster M6-32 Hardware
Oracle SuperCluster T5-8 Hardware
SPARC SuperCluster T4-4
Information in this document applies to any platform.

Purpose

Information Document for Oracle SuperCluster — Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Vulnerabilities.

Details

Last updated: 13-Apr-2018 (v0.6)

SPARC Systems in Oracle SuperCluster

Spectre Variant 1 (CVE-2017-5753)

Oracle has determined that certain SPARC systems are affected by the Spectre Variant 1 (CVE-2017-5753) vulnerability, including SPARC systems used in all SuperCluster platform releases.

In response to this vulnerability, Oracle has developed updates to the System Firmware for the SPARC hypervisor, and to the Oracle Solaris operating system for affected systems. Responding to Spectre Variant 1 on SPARC Solaris systems requires installing both sets of changes.

Spectre Variant 2 (CVE-2017-5715)

Oracle has determined that certain SPARC systems are affected by the Spectre Variant 2 (CVE-2017-5715) vulnerability, including SPARC systems used in all SuperCluster platform releases.

Oracle has developed changes to the System Firmware for T5, M6, M7, and M8 based SPARC systems which enable a hardware-based solution to address this vulnerability for all software running on the system, including the hypervisor, operating system, and applications. Changes to System Firmware for T4 based SPARC systems are pending.

Meltdown (CVE-2017-5754)

Based on current information, Oracle believes that Oracle Solaris versions running on SPARCv9 hardware are not impacted by the Meltdown (CVE-2017-5754) vulnerability. This includes all SPARC systems used in all SuperCluster platform releases.

Further details about the Spectre and Meltdown vulnerabilities and implications for SPARC/Solaris systems are provided in the following MOS document: Oracle Solaris on SPARC — Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Vulnerabilities (Doc ID 2349278.1).

Other Systems in Oracle SuperCluster

Exadata Storage Servers

Oracle has developed changes to address the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities for all firmware and software running on Exadata Storage Servers.

For more information, refer to the following MOS document: Oracle Exadata Database Machine Patch Availability Document for CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 (Doc ID 2356385.1).

ZFS Storage Appliance

For information about the ZFS Storage Appliance, refer to the following MOS document: Oracle Solaris on x86 — Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Vulnerabilities (Doc ID 2383531.1).

Cisco Management Switches

The Cisco Nexus 9000 (C93108TC-EX) management switch used in the Oracle SuperCluster M8 platform is vulnerable to the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities. Cisco has advised that it will release software updates that address these vulnerabilities.

Other SuperCluster Components

Based on current information, Oracle believes that other components used in Oracle SuperCluster are not impacted by the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities. These Oracle SuperCluster components include the following:

Cisco 4948/4948E-F-S management switches used in Oracle SuperCluster platform releases prior to Oracle SuperCluster M8
NanoMagnum2 (NM2) InfiniBand switches used in all Oracle SuperCluster platform releases
Power Distribution Units (PDUs) used in all Oracle SuperCluster platform releases

Addressing Vulnerabilities on Oracle SuperCluster

New Installs

New Oracle SuperCluster M8 installs will be based on Oracle SuperCluster Release 2.6, which incorporates the latest System Firmware and Operating System updates required to address Spectre and Meltdown vulnerabilities for SPARC servers and for Exadata Storage Servers.

Existing Installs

For existing customers, the April 2018 Quarterly Full Stack Download Patch (QFSDP) includes the latest System Firmware and Operating System updates required to address Spectre and Meltdown vulnerabilities for T5, M6, M7, and M8 based SPARC servers and for Exadata Storage Servers. For more details on the SuperCluster QFSDP, refer to the following MOS document: Contents of each SuperCluster Quarterly Full Stack Download Patch (QFSDP) (Doc ID 2056975.1)

Performance Implications

It has been widely reported that the mitigation measures associated with these processor vulnerabilities can negatively affect system performance.

For more details on possible performance impacts for SPARC servers, refer to the following MOS document: Performance impact of technical mitigation measure against vulnerability CVE-2017-5715 (Spectre v2) on SPARC Servers (Doc ID 2386271.1).

For Exadata Storage Servers, refer to the following MOS document: Performance impact of mitigation measures against CVE-2017-5754 and CVE-2017-5753 on Oracle Database, Oracle Exadata, and Oracle Zero Data Loss Recovery Appliance (Doc ID 2357480.1).

General Recommendations

Oracle further recommends that customers prevent as much as possible the execution of untrusted code, which is a condition for the exploitation of vulnerabilities CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown). Oracle recommends that you review the privileges associated with your systems, and periodically review your security logs in light of these vulnerabilities.

Attachments

This solution has no attachment