Oracle Cloud Infrastructure Customer Advisory for L1TF Impact on the Compute Service
Intel disclosed a set of speculative execution side-channel processor vulnerabilities affecting their processors. For more information, see Vulnerability Note VU#584653. These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received the following CVE identifiers:
-
CVE-2018-3615, which impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.
-
CVE-2018-3620, which impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.
-
CVE-2018-3646, which impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1.
See the Oracle Cloud Security Response to Intel L1TF Vulnerabilities for more information.
Oracle has deployed technical mitigations across Oracle Cloud Infrastructure systems designed to prevent a malicious attacker's virtual machine (VM) instance from accessing data from other VM instances.
You should be aware that the vulnerability CVE-2018-3620 could enable a rogue user-mode process to read privileged kernel memory within the same operating system (OS). As a result, you are advised to keep up with OS security patches to address this vulnerability. See Protecting your Compute Instance Against the L1TF Vulnerability for instructions to patch the OS on the instances you manage.
Additional Guidance for Oracle Cloud Infrastructure Bare Metal Instances
Bare metal instances in Oracle Cloud Infrastructure offer you full control of a physical server. Oracle Cloud Infrastructure's network virtualization is designed and configured to protect these instances from unauthorized access of other instances on the Oracle Cloud Infrastructure network, including other customer instances, both VM instances and other bare metal instances.
If you're running your own virtualization stack or hypervisors on bare metal instances, the L1TF vulnerability allows a virtual machine to access privileged information from the underlying hypervisor or other VMs on the same bare metal instance. You should review the Intel recommendations about vulnerabilities CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646, and make changes to your configurations as you deem appropriate.