Protecting your Compute Instance Against the L1TF Vulnerability
Intel disclosed a set of speculative execution side-channel processor vulnerabilities affecting their processors, for more information, see Vulnerability Note VU#584653. These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received the following CVE identifiers:
-
CVE-2018-3615 which impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.
-
CVE-2018-3620 which impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.
-
CVE-2018-3646 which impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1.
See the Oracle Cloud Security Response to Intel L1TF Vulnerabilities for more information.
Recommended Action
Oracle recommends that you patch the operating systems for your existing bare metal and virtual machine (VM) instances, and verify that this includes the patch for the CVE-2018-3620 vulnerability. For VM instances, the Oracle Cloud Infrastructure team has implemented the necessary workarounds designed to mitigate the CVE-2018-3646 vulnerability. For bare metal instances using virtualization technology, you should also follow these instructions to ensure that they are mitigated against the CVE-2018-3646 vulnerability.
If you're running your own virtualization stack or hypervisors on bare metal instances, you should apply the patch for the CVE-2018-3646 vulnerability.
The information in the following sections detail the commands needed to update your running instances created from platform images.
The following platform image releases have been updated with the recommended patches, so instances created from these images or new image releases include the recommended patches for the L1TF vulnerability.
Protections against the L1TF vulnerabilities are enabled by default in Oracle Autonomous Linux 8, Oracle Linux 8, Oracle Linux Cloud Developer 8, Ubuntu 20.04, and Windows Server 2019.
- Oracle-Autonomous-Linux-7.7-2019.12-0
- Oracle-Linux-7.5-2018.08.14-0
- Oracle-Linux-7.5-Gen2-GPU-2018.08.14-0
- Oracle-Linux-6.10-2018.08.14-0
- CentOS-7-2018.08.15-0
- Canonical-Ubuntu-18.04-2018.08.15-0
- Windows-Server-2016-Standard-Edition-VM-Gen2-2018.08.16-0
- Windows-Server-2016-Datacenter-Edition-BM-Gen2-2018.08.16-0
- Windows-Server-2016-Datacenter-Edition-BM-Gen2-DenseIO-2018.08.16-0
- Windows-Server-2012-R2-Standard-Edition-VM-2018.08.14-0
- Windows-Server-2012-R2-Standard-Edition-VM-Gen2-2018.08.14-0
- Windows-Server-2012-R2-Datacenter-Edition-BM-2018.08.15-0
- Windows-Server-2012-R2-Datacenter-Edition-BM-Gen2-DenseIO-2018.08.15-0
- Windows-Server-2012-R2-Datacenter-Edition-BM-Gen2-2018.08.15-0
For your running instances created from imported custom images, refer to the operating system (OS) vendor's guidance to patch the OS for the L1TF vulnerability.
Patching Oracle Linux Instances
For Oracle Linux, the patches for the CVE-2018-3620 and CVE-2018-3646 vulnerabilities are addressed by the same set of patches.
Bare metal instances must have the latest microcode updates from Intel. This step is not required for VM instances.
To install the latest microcode updates, run the following command:
# sudo yum update microcode_ctl
The microcode RPM should be greater than or equal to microcode_ctl-2.1-29.2.0.4.el7_5.x86_64.rpm. This is the version of the microcode package that shipped for the Spectre v3a and Spectre v4 updates. No additional update is required. In addition to the microcode update, you should also patch your bare metal instances using the following set of instructions.
The yum-plugin-security package allows you to use yum to obtain a list of all of the errata that are available for your system, including security updates. You can also use Oracle Enterprise Manager 12c Cloud Control or management tools such as Katello, Pulp, Red Hat Satellite, Spacewalk, and SUSE Manager to extract and display information about errata.
-
To install the
yum-plugin-securitypackage, run the following command:# sudo yum install yum-plugin-security -
Use the
--cveoption to display the errata that correspond to a specified CVE, and to install those required packages, by running the following commands:# sudo yum updateinfo list --cve CVE-2018-3620 # sudo yum update --cve CVE-2018-3620A system reboot will be required once the package is applied. By default, the boot manager will automatically enable the most recent kernel version. For more information on using
yum update, visit Installing and Using the Yum Security Plugin. -
After the system reboots, ensure that the following file is populated.
cat /sys/devices/system/cpu/vulnerabilities/l1tf
Patching Windows Instances
Protecting New Windows VM and Bare Metal Instances
When you create a new VM or bare metal instance based on the latest Windows platform images, the image includes the Microsoft-recommended patches to protect against the L1TF vulnerability. Windows bare metal instances also include the latest microcode updates from Intel.
There is no further action required from you to protect your new Windows-based VM or bare metal instances from the L1TF vulnerability. You should ensure that you keep the your instances updated with the latest patches as recommended by your OS vendor.
Protecting Existing Windows VM and Bare Metal Instances
Bare metal instances launched before the Windows platform images were updated must have the latest microcode updates from Intel. You need to recycle your Windows bare metal instances in order to receive the latest Intel microcode update. This step is not required for VM instances.
-
Create a new custom image of your Windows bare metal instance, see Creating Windows Custom Images for more information.
-
Terminate your existing Windows bare metal instance.
- Open the navigation menu and click Compute. Under Compute, click Custom Images. Find the custom image you want to use.
-
Click the Actions menu (
), and then click Create Instance. -
Provide additional launch options as described in Creating an Instance.
Once you have completed these steps, perform the steps in the next procedure to update the instance with the latest OS updates from Microsoft.
Windows images include the Windows Update utility, which you can run to get the latest Windows updates from Microsoft. You have to configure the security list on the subnet on which the instance is running to allow instances to access Windows update servers. See OS Update for Windows Images and Security Lists for more information.
-
Verify that you have installed the latest Windows OS security update from Microsoft.
-
If automatic updates are turned on, the updates should be automatically delivered to the instance.
-
To manually check for the latest update, select Start.
-
In Settings select Updates & security and then select Windows Update.
-
In Windows Update, click Check for updates.
-
When you turn on automatic updates, this update will be downloaded and installed automatically. For more information about how to turn on automatic updates, see Windows Update: FAQ.
-
For additional details see Windows Server guidance to protect against L1 terminal fault.
Patching Ubuntu or CentOS Instances
When you create a new VM or bare metal instance based on the latest Ubuntu or CentOS platform images, the image includes the recommended patches to protect against the L1TF vulnerability, see for more information L1 Terminal Fault (L1TF) and L1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646.
For existing VM or bare metal instances you should follow the guidance provided by the OS vendor for patching systems.