If you are running your workload Oracle Cloud (Compute, Databases), read this complete blog and apply the patches as recommended.
Recently Intel has identified a Vulnerability in their processors which they named as Microarchitectural Data Sampling (MDS) Vulnerability and due to which Intel CPUs may allow information disclosure and one can easily enter your system by using some malicious codes.
This post covers things you must know about Microarchitectural Data Sampling (MDS) Vulnerability & what Oracle Recommends to mitigate this.
What is Microarchitectural Data Sampling (MDS) Vulnerability?
It is referred to as Microarchitectural Data Sampling issues (MDS issues) because they refer to issues related to microarchitectural structures of the Intel processors other than the level 1 data cache and one can easily run some malicious code against these and can enter your system and Intel has rated this Vulnerability as severity medium.
These vulnerabilities have received the following CVE identifiers, where CVE stands for The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information security vulnerabilities and exposures
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)
- CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)
Where vulnerability CVE-2019-11091 has received a CVSS Base Score of 3.8, the other vulnerabilities have all been rated with a CVSS Base Score of 6.5. Where CVSS stands for Common Vulnerability Scoring System
Oracle Recommendation to Intel Microarchitectural Data Sampling (MDS) Vulnerabilities
- Oracle suggests the administrators of x86-based Systems to carefully analyze the impact of MDS on their system, and accordingly implement all the security mitigations such as applying OS patches released for these vulnerabilities.
- If you are using Oracle Engineered System such as Exadata Machine, Database Appliance, SuperCluster, etc Oracle will give you the specific guidance.
Oracle Operating Systems (Linux and Solaris) and Virtualization
- If you are using Oracle Linux 7, Oracle Linux 6, & Oracle VM Server for X86 Products you should immediately apply the OS patches released by Oracle for this Vulnerabilities, in addition to that you should also run the current version of the Intel microcode to mitigate these issues (# yum update microcode_ctl ).
- The required versions of microcode_ctl rpms are Oracle Linux 7: microcode_ctl 2.1-47.0.4 & Oracle Linux 6: microcode_ctl 1.17-1002
- For Oracle Linux customer you can use Oracle Ksplice tool to patch the OS with zero downtime. To know more check here
- If you are using Oracle Solaris on x86 then it is affected by these vulnerabilities. For more information check Doc ID 2540621.1
- If you are running your workload on Oracle Solaris on SPARC, then no action required from your end, as it is not affected by this Vulnerabilities.
- If you are using Oracle Autonomous Database (ATP & ADW) then no action required for this Vulnerabilities. To know more about Autonomous Database check here
- If you are using Bare Metal Instances and using your own virtualization stack on top of it then you should review the Intel recommendations about these MDS vulnerabilities and make the recommended changes to their configurations.
- If you are using VM Instances, then you should patch OS to the latest security patch released by Oracle. To know how to patch please check here
- For Zero Downtime Patching in Oracle Cloud, you can use Oracle Ksplice only available for Oracle Linux Images, to know how to configure check here
- Note: If you are using third party OS, then you should reach out to them for these vulnerabilities patches.
- If you are running your DB System on Virtual Machine or Bare Metal, you should apply the latest OS Patches, to know how to apply the OS patch to DB System check here
- For Exadata DB systems, apply the OS patches following the instructions in Updating an Exadata DB System.
- If you are using Oracle Cloud Infrastructure Classic and Oracle Platform Service on Oracle Cloud Infrastructure Classic then Oracle will be performing mandatory maintenance for Infrastructure and Platform Services on Oracle Cloud Infrastructure Classic, so no action required from customer ends.
Steps To Install OS Security Patches For MDS Vulnerabilities in Bare Metal & VM Instance with Downtime
Step1: Install the latest microcode released by Intel
# sudo yum update microcode_ctl
The required versions of microcode_ctl rpms are:
- Oracle Linux 7: microcode_ctl 2.1-47.0.4
- Oracle Linux 6: microcode_ctl 1.17-1002
Step2: Install the latest security patches run the following command:
Note: yum-plugin-security package allows you to use yum to obtain a list of all errata that are available for your system, including security updates.
# sudo yum install yum-plugin-security
Step3: Use the –cve option to display the errata that correspond to a specified CVE, and to install those required packages, by running the following commands:
# sudo yum updateinfo list –cve CVE-####-#####
#sudo yum update –cve CVE-####-####
As Intel has identified 4 different Vulnerabilities so the command should be like mentioned below:
To list all rpms for each Vulnerabilities
sudo yum updateinfo list –cve CVE-2019-11091
sudo yum updateinfo list –cve CVE-2018-12126
sudo yum updateinfo list –cve CVE-2018-12127
sudo yum updateinfo list –cve CVE-2018-12130
To update rpms for each Vulnerabilities
sudo yum update –cve CVE-2019-11091
sudo yum update –cve CVE-2018-12126
sudo yum update –cve CVE-2018-12127
sudo yum update –cve CVE-2018-12130
A system reboot will be required once the package is applied.
To know how to apply OS Patches in Oracle Linux Images using ksplice without downtime, check here.
Step4: After the system reboots, ensure that the following file is populated:
Hope you find this blog useful and make sure you update and apply all the security patches as recommended in order to mitigate this Microarchitectural Data Sampling (MDS) Vulnerabilities and comment in the blog & let us if you have any query regarding this Vulnerabilities.
- Intel Processor MDS Vulnerabilities: CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127
- Microarchitectural Data Sampling Advisory
- Intel MDS Vulnerabilities: CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127: Intel Processor Microcode Availability (Doc ID 2540606.1)
- Intel MDS (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127) Vulnerabilities in Oracle x86 Servers (Doc ID 2540621.1)
- Intel MDS Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, & CVE-2019-11091): Oracle Solaris Impact (Doc ID 2540522.1)
- Oracle Cloud Security Response to Intel Microarchitectural Data Sampling (MDS) Vulnerabilities
- Oracle Cloud Infrastructure Customer Advisory for MDS Impact on the Compute Service
- Oracle Cloud Infrastructure Customer Advisory for MDS Impact on the Database Service
- Autonomous Database
- Compute (Bare Metal & VM)
- [Video] Create Compute (Linux/Windows Machine) On Oracle Cloud (OCI)
- Databases In Oracle Cloud Infrastructure
If you want to take your career to next level by becoming Oracle Certified Cloud Architect Associate even if you are a beginner, then I would like to invite you to Join my FREE Masterclass on How To Become Oracle Certified Cloud Architect Associate in 8 Weeks.
Click on the image below to register for Free MasterClass.