Skip to Main Content
Forums

Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Latest OVS 3.4.x updates - updated bios - Spectre/meltdown flaws still present ? (same h/w + rhel7/K

morgan coxApr 3 2018 — edited Apr 11 2018

Hi.

I have installed the latest bios for our servers - Hp Gen9/DL360, and installed the latest OVS updates (via yum), however when I run the meltdown/spectre checker it shows Variant2/3 still vulnerable...  Both on the hypervisor and VMs

On the same hardware with standard Rhel7, using KVM the script shows all 3 variants as fixed.

I am using the redhat script from -> https://access.redhat.com/security/vulnerabilities/speculativeexecution

i.e

# ./spectre-meltdown-180327_0.sh
This script is primarily designed to detect Spectre / Meltdown on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Detected CPU vendor: Intel
Running kernel: 4.1.12-112.14.15.el6uek.x86_64
Variant #1 (Spectre): Not affected
CVE-2017-5753 - speculative execution bounds-check bypass
   - Kernel with mitigation patches: OK
Variant #2 (Spectre): Vulnerable
CVE-2017-5715 - speculative execution branch target injection
   - Kernel with mitigation patches: OK
   - HW support / updated microcode: NO
   - IBRS: Not disabled on kernel commandline
   - IBPB: Not disabled on kernel commandline
   - Retpolines: Not disabled on kernel commandline
Variant #3 (Meltdown): Vulnerable
CVE-2017-5754 - speculative execution permission faults handling
   - Kernel with mitigation patches: OK
   - PTI: Not disabled on kernel commandline
Red Hat recommends that you:
* Ask your HW vendor for CPU microcode update.
Note about virtualization
In virtualized environment, there are more steps to mitigate the issue, including:
* Host needs to have updated kernel and CPU microcode
* Host needs to have updated virtualization software
* Guest needs to have updated kernel
* Hypervisor needs to propagate new CPU features correctly
For more details about mitigations in virtualized environment see:
https://access.redhat.com/articles/3331571
For more information about the vulnerabilities see:
https://access.redhat.com/security/vulnerabilities/speculativeexecution

However the exact same bios version on rhel7 shows as all 3 flaws as fixed, both on a KVM host and KVM VM

I also see this

# dmesg | grep 'Kernel/User page tables isolation'
[    0.000000] Kernel/User page tables isolation: disabled

Is this just an issue with the spectre checker script or is oracle VM still actually vulnerable and still needs kernel, etc updates ?
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 9 2018
Added on Apr 3 2018
#oracle-virtualization, #oracle-vm-server-for-x86
1 comment
847 views