HPESBHF03805 rev.15 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure

TBCS IT announces the following HPE Support Alert: 

 

Find more here

If you need any assistance please call us: +49 (0)5321 35 1000 or send an e-mail to sales@tbcs-it.de

 
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03805en_us

Version: 1

HPESBHF03805 rev.15 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2018-01-05

Last Updated: 2018-03-01


Potential Security Impact: Local: Disclosure of Information, Elevation of Privilege

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

On January 3 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE.

Note:

References:
  • CVE-2017-5715 - aka Spectre, branch target injection (Variant 2)
  • CVE-2017-5753 - aka Spectre, bounds check bypass (Variant 1 )
  • CVE-2017-5754 - aka Meltdown, rogue data cache load, memory access permission check performed after kernel memory read (Variant 3)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  • HPE ProLiant DL120 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant DL160 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant DL180 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant DL360 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant DL380 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant DL385 Gen10 Server - prior to v1.04 (1/5/2018)
  • HPE ProLiant DL560 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant DL580 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant ML110 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant ML350 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE Synergy 480 Gen10 Compute Module - prior to v1.32 (02/01/2018)
  • HPE Synergy 660 Gen10 Compute Module - prior to v1.32 (02/01/2018)
  • HPE ProLiant BL460c Gen10 Server Blade - prior to v1.32 (02/01/2018)
  • HPE ProLiant XL170r Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant XL190r Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant XL230k Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE ProLiant XL450 Gen10 Server - prior to v1.32 (02/01/2018)
  • HPE Cloudline CL2100 Gen10 Server - All currently delivered versions
  • HPE Cloudline CL2200 Gen10 Server - All currently delivered versions
  • HPE Cloudline CL3150 Gen10 Server - Prior to v4.3.0.0 (1/31/2018)
  • HPE ProLiant XL170r Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant XL190r Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant XL230a Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant XL250a Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant XL260a Gen9 Server - All currently delivered versions
  • HPE ProLiant XL270d Gen9 Accelerator Tray 2U Configure-to-order Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant XL450 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant XL730f Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant XL740f Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant XL750f Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant DL20 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HP ProLiant DL80 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HP ProLiant DL120 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HP ProLiant DL160 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant DL180 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant DL360 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HP ProLiant DL380 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant DL560 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant DL580 Gen9 Server - All currently delivered versions
  • HPE Apollo 4200 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HP ProLiant BL460c Gen9 Server Blade - Prior to v2.56 (01/22/2018)
  • HP ProLiant BL660c Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant ML30 Gen9 Server - Prior to v2.56 (01/22/2018
  • HP ProLiant ML110 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HP ProLiant ML150 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE ProLiant ML350 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE Synergy 660 Gen9 Compute Module - Prior to v2.56 (01/22/2018)
  • HPE Synergy 480 Gen9 Compute Module - Prior to v2.56 (01/22/2018)
  • HPE Synergy 620 Gen9 Compute Module - All currently delivered versions
  • HPE Synergy 680 Gen9 Compute Module - All currently delivered versions
  • HPE ProLiant WS460c Gen9 Workstation - Prior to v2.56 (01/22/2018)
  • HPE ProLiant m510 Server Cartridge - All currently delivered versions
  • HPE ProLiant m710p Server Cartridge - Prior to v01/22/2018
  • HPE ProLiant m710x Server Cartridge - Prior to v1.64 (01/22/2018
  • HP ProLiant m710 Server Cartridge - Prior to v01/22/2018
  • HP ProLiant XL220a Gen8 v2 Server - Prior to v01/22/2018
  • HP ProLiant DL980 G7 Server - All currently delivered versions
  • HPE ProLiant Thin Micro TM200 Server - All currently delivered versions
  • HPE ProLiant m350 Server Cartridge - All currently delivered versions
  • HPE ProLiant m300 Server Cartridge - All currently delivered versions
  • HPE ProLiant MicroServer Gen8 - All currently delivered versions
  • HPE ProLiant ML310e Gen8 v2 Server - Prior to v01/22/2018
  • HPE Superdome Flex Server - All currently delivered versions
  • HPE Integrity Superdome X with BL920s Gen9 Server Blade Apply OS Patches, but do not apply firmware update yet
  • HP 3PAR StoreServ File Controller - To be determined - - v3 impacted
  • HPE StoreVirtual 3000 File Controller - To be determined
  • HPE StoreEasy 1450 Storage - To be determined
  • HPE StoreEasy 1550 Storage - To be determined
  • HPE StoreEasy 1650 Storage - To be determined
  • HPE StoreEasy 1650E Storage - To be determined
  • HPE StoreEasy 3850 Gateway Storage - To be determined
  • HPE StoreEasy 1850 Storage - To be determined
  • HP ConvergedSystem 700 - All currently delivered versions
  • HPE Converged Architecture 700 - All currently delivered versions
  • HP ProLiant DL580 Gen8 Server - All currently delivered versions
  • HPE Cloudline CL5200 G3 Server - All currently delivered versions
  • HPE Cloudline CL3100 G3 Server - All currently delivered versions
  • HPE Cloudline CL2100 G3 807S 8 SFF Configure-to-order Server - All currently delivered versions
  • HPE Cloudline CL2100 G3 407S 4 LFF Configure-to-order Server - All currently delivered versions
  • HPE Cloudline CL2100 G3 806R 8SFF Configure-to-order Server - All currently delivered versions
  • HPE Cloudline CL2200 G3 1211R 12 LFF Configure-to-order Server - All currently delivered versions
  • HP ProLiant BL420c Gen8 Server - All currently delivered versions
  • HP ProLiant ML310e Gen8 Server - All currently delivered versions
  • HP ProLiant DL160 Gen8 Server - All currently delivered versions
  • HPE ProLiant ML350e Gen8 Server - All currently delivered versions
  • HPE ProLiant ML350e Gen8 v2 Server - All currently delivered versions
  • HP ProLiant BL660c Gen8 Server - All currently delivered versions
  • HP ProLiant BL460c Gen8 Server - All currently delivered versions
  • HP ProLiant DL560 Gen8 Server - All currently delivered versions
  • HP ProLiant DL380e Gen8 Server - All currently delivered versions
  • HP ProLiant DL360e Gen8 Server - All currently delivered versions
  • HP ProLiant DL320e Gen8 Server - All currently delivered versions
  • HPE ProLiant DL320e Gen8 v2 Server - Prior to v01/22/2018
  • HP ProLiant ML10 Server - All currently delivered versions
  • HPE ProLiant ML10 v2 Server - Prior to v01/22/2018
  • HP ProLiant ML350p Gen8 Server - All currently delivered versions
  • HPE ProLiant SL210t Gen8 Server - All currently delivered versions
  • HP ProLiant SL270s Gen8 Server - All currently delivered versions
  • HP ProLiant SL250s Gen8 Server - All currently delivered versions
  • HP ProLiant SL230s Gen8 Server - All currently delivered versions
  • HPE ProLiant SL4540 Gen8 1 Node Server - All currently delivered versions
  • HPE Integrity X NonStop CPUs (x86) - To be determined - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action.
  • HPE NonStop Cluster I/O Modules (CLIMs) - NonStop customers see Hotstuff HS03372 - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action.
  • HPE NonStop System Consoles - NonStop customers see Hotstuff HS03369A - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action.
  • HPE NonStop Virtual TapeServer (VTS) - To be delivered - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action.
  • HPE NonStop Virtual Tape Repository (VTR) - NonStop customers see Hotstuff HS03371A - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action.
  • HPE NonStop BackBox Virtual Tape Controller (VTC) - NonStop customers see Hotstuff HS03371A - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action.
  • HPE ProLiant DL380p Gen8 Server - All currently delivered versions
  • HPE ProLiant DL60 Gen9 Server - Prior to v2.56 (01/22/2018)
  • HPE Moonshot m700 Server Cartridge - All currently delivered versions
  • HPE Moonshot m700p Server Cartridge - All currently delivered versions
  • ProLiant BL465c Gen8 - All currently delivered versions
  • ProLiant DL385 Gen8 - All currently delivered versions
  • Synergy Image Streamer - All currently delivered versions
  • HPE GL20 IoT Gateway - All currently delivered versions
  • HPE GL10 IoT Gateway - All currently delivered versions
  • Big Switch OS - To be determined

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics
Reference
V3 Vector
V3 Base Score
V2 Vector
V2 Base Score
CVE-2017-5715
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
5.5
(AV:L/AC:M/Au:N/C:C/I:N/A:N)
4.7
CVE-2017-5753
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
5.5
(AV:L/AC:M/Au:N/C:C/I:N/A:N)
4.7
CVE-2017-5754
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
5.5
(AV:L/AC:M/Au:N/C:C/I:N/A:N)
4.7
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

Intel has now granted the microcode update for Skylake-SP processors production status, and as of February 20, 2018, Gen10 System ROM updates using this microcode are available for download.

Intel has now granted the microcode update for Broadwell-EP and Haswell-EP processors production status, and as of February 23, 2018, certain Gen9 and Gen8 System ROM updates using this microcode are available for download.

On January 11, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for numerous processors including Broadwell, Haswell, Skylake, Kaby Lake, Ivybridge, and Sandybridge processors. Intel has now identified the root cause of these issues and determined that these microcodes may introduce reboots and other unpredictable system behavior. Due to the severity of the potential issues that may occur when using these microcodes, Intel is now recommending that customers discontinue their use. Additional information is available from Intel’s Security Exploit Newsroom here: https://newsroom.intel.com/press-kits/security-exploits-intel-products/ Non-HPE Site . HPE is in alignment with Intel in our recommendation that customers discontinue use of System ROMs including impacted microcodes and revert to earlier System ROM versions.

All System ROMs including impacted microcodes were removed from the HPE Support Site. This impacts HPE ProLiant and Synergy, Gen9, and Gen8 v2 servers as well as HPE Superdome servers for which updated System ROMs had previously been made available. Intel is working on updated microcodes to address these issues, and HPE will validate updated System ROMs including these microcodes and make them available to our customers in the coming weeks.

Mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown) vulnerabilities require only OS updates and are not impacted.

  • HPE has provided a customer bulletin https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us with specific instructions to obtain the udpated sytem ROM

  • NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action.

  • Note:

    • CVE-2017-5715 (Variant 2) requires that the System ROM be updated and a vendor supplied operating system update be applied as well.
    • For CVE-2017-5753, CVE-2017-5754 (Variants 1 and 3) require only updates of a vendor supplied operating system.
    • HPE will continue to add additional products to the list.
HISTORY 
  • Version:1 (rev.1) - 4 January 2018 Initial release
  • Version:2 (rev.2) - 5 January 2018 Added additional impacted products
  • Version:3 (rev.3) - 10 January 2018 Added more impacted products
  • Version:4 (rev.4) - 9 January 2018 Fixed product ID
  • Version:5 (rev.5) - 18 January 2018 Added additional impacted products
  • Version:6 (rev.6) - 19 January 2018 updated impacted product list
  • Version:7 (rev.7) - 23 January 2018 Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues
  • Version:8 (rev.8) - 24 January 2018 Added additional impacted products
  • Version:9 (rev.9) - 25 January 2018 Added additional impacted products
  • Version:10 (rev.10) - 25 January 2018 Added additional impacted products, adjusted CVSS score
  • Version:11 (rev.11) - 1 February 2018 Added additional impacted products
  • Version:12 (rev.12) - 13 February 2018 Updated NonStop Product information
  • Version:13 (rev.13) - 16 February 2018 Removed not impacted product
  • Version:14 (rev.14) - 22 February 2018 Updated Gen10 products (for Intel Skylake-SP) with released System Rom
  • Version:15 (rev.15) - 1 March 2018 Updated certain Gen9, and Gen8 products, corrected CVSS vectors

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported product:

Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email:http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is available here:http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software 
GN = HP General Software
HF = HP Hardware and Firmware 
MU = Multi-Platform Software 
NS = NonStop Servers 
OV = OpenVMS 
PV = ProCurve 
ST = Storage Software 
UX = HP-UX

©Copyright 2018 Hewlett Packard Enterprise Company, L.P.
 
 

Passende Artikel

HPE ProLiant DL380 Gen9 E5-2620v3 1P 16GB-R P840ar/4GB P/N 752688-B21

HPE Renew - full warranty

Statt: 3.706,00 € * 2.399,00 € *

%
HPE ProLiant DL360 Gen9 E5-2603v3 1P 8GB-R B140i P/N: 755260-B21

HPE Renew - full warranty

Statt: 2.532,00 € * 1.375,00 € *

%
HPE ProLiant DL160 Gen9 E5-2603v3 1P 8GB-R 8xSFF Entry P/N: 769504-B21

HPE Renew - full warranty

Statt: 1.717,00 € * 950,00 € *

%
 
 

Kommentar schreiben

 

Die mit einem * markierten Felder sind Pflichtfelder.