Operational Defect Database
BugZero found this defect 1476 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | hpesbhf03805en_us
HPESBHF03805 rev.24 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Last update date:
1/7/2024
Affected products:
HPE Apollo 2000 System
HPE Cloudline CL2100 G3 Server
HPE Cloudline CL2100 Gen10 Server
HPE Cloudline CL2200 G3 Server
HPE Cloudline CL2200 Gen10 Server
HPE Cloudline CL3100 Gen9 Server
HPE Cloudline CL3150 Gen10 Server
HPE Cloudline CL5200 Gen9 Server
HPE GL10 IoT Gateway
HPE GL20 IoT Gateway
HPE Integrity MC990 X Server
HPE Integrity NonStop X NS7 X1 System
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
Document ID: hpesbhf03805en_us Version: 24 HPESBHF03805 rev.24 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-01-04 Last Updated: 2020-05-05 Potential Security Impact: Local: Disclosure of Information, Elevation of Privilege Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY On January 3 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE. Note: This issue takes advantage of techniques commonly used in many modern processor architectures. For further information, microprocessor vendors have provided security advisories: Intel: https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&languageid=en-fr AMD: http://www.amd.com/en/corporate/speculative-execution ARM: https://developer.arm.com/support/security-update Update: On July 10th, 2018 Intel updated security advisory INTEL-OSS-10002 and spoke about CVE-2018-3693, Bounds Check Bypass Store. This vulnerability (AKA Spectre 1.1) is similar to Spectre variant 1. In addition other similar vulnerabilities continue to be disclosed. Researchers continue to study and report research about the Spectre problems: Spectre 1.2 SpectreRSB NetSpectre References: CVE-2017-5715 - aka Spectre, branch target injection (Variant 2), SpectreRSB CVE-2018-3693 - aka Bounds Check Bypass on Stores Variant 1.1 CVE-2017-5753 - aka Bounds Check Bypass, Spectre Variant 1, Variant 1.2, NetSpectre CVE-2017-5754 - aka Meltdown, rogue data cache load, memory access permission check performed after kernel memory read (Variant 3) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HPE ProLiant DL120 Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant DL160 Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant DL180 Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant DL360 Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant DL380 Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant DL385 Gen10 Server - prior to 1.06_02-01-2018(19 Mar 2018) HPE ProLiant DL560 Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant DL580 Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant ML110 Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE Synergy 480 Gen10 Compute Module - prior to 1.32_02-01-2018(16 Feb 2018) HPE Synergy 660 Gen10 Compute Module - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant BL460c Gen10 Server Blade - prior to 1.32_02-01-2018(16 Feb 2018) HPE Apollo 2000 System - Prior to 1.32_02-01-2018 (16 Feb 2018) - Includes System ROM Flash Binary and RESTful API BIOS Schemas HPE Apollo 4500 System - Prior to 1.32_02-01-2018 (16 Feb 2018) - Includes System ROM Flash Binary and RESTful API BIOS HPE ProLiant XL230k Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant XL450 Gen10 Server - Prior to 1.32_02-01-2018(16 Feb 2018) HPE Cloudline CL2100 Gen10 Server - Prior to 1.0.5.1(6 Mar 2018) HPE Cloudline CL2200 Gen10 Server - Prior to 1.0.5.1(6 Mar 2018) HPE Cloudline CL3150 Gen10 Server (AMD) - Prior to 4.3.0.0(31 Jan 2018) HPE ProLiant XL170r Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant XL190r Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant XL250a Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant XL260a Gen9 Server - Prior to 1.60_01-22-2018(26 Feb 2018) HPE ProLiant XL270d Gen9 Accelerator Tray 2U Configure-to-order Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant XL450 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant XL740f Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant XL750f Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant DL20 Gen9 Server - Prior to 2.56_01-22-2018(27 Feb 2018) HPE ProLiant DL60 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant DL80 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant DL360 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant DL560 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant DL580 Gen9 Server - Prior to 2.56_01-22-2018(2 Mar 2018) HPE Apollo 4200 Gen9 Server - Prior to 2.56_01-22-2018 (23 Feb 2018) - Includes System ROM Flash Binary and RESTful API BIOS Schemas HPE ProLiant BL460c Gen9 Server Blade - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant BL660c Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant ML150 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant ML110 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant ML30 Gen9 Server - Prior to 2.56_01-22-2018(27 Feb 2018) HPE ProLiant ML10 Gen9 Server - Prior to 2018.01.22(22 Mar 2018) HPE Synergy 660 Gen9 Compute Module - Prior to 2.56_01-22-2018(23 Feb 2018) HPE Synergy 480 Gen9 Compute Module - Prior to 2.56_01-22-2018(23 Feb 2018) HPE Synergy 620 Gen9 Compute Module - Prior to 2.56_01-22-2018(2 Mar 2018) HPE Synergy 680 Gen9 Compute Module - Prior to 2.56_01-22-2018(2 Mar 2018) HPE ProLiant WS460c Gen9 Graphics Server Blade - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant m510 Server Cartridge - Prior to 1.64_01-22-2018(27 Feb 2018) HPE ProLiant m710p Server Cartridge - Prior to 2018.01.22(24 Feb 2018) HPE ProLiant m710x Server Blade - Prior to 1.64_01-22-2018(27 Feb 2018) HPE ProLiant XL220a Gen8 v2 Server - Prior to 2018.01.22(23 Feb 2018) HPE ProLiant Thin Micro TM200 Server - Prior to 2.56_01-22-2018(27 Feb 2018) HPE ProLiant m350 Server Cartridge - Prior to 2018.01.22(27 Feb 2018) HPE ProLiant m300 Server Cartridge - Prior to 2018.01.22(27 Feb 2018) HPE ProLiant MicroServer Gen8 - Prior to 2018.01.22(5 Mar 2018) HPE ProLiant ML310e Gen8 v2 Server - Prior to 2018.01.22(23 Feb 2018) HPE Superdome Flex Server - Prior to v2.4.98(03/16/2018) HPE Integrity Superdome X Server - Prior to 8.8.14(3 May 2018) HPE 3PAR StoreServ File Controller - To be determined - - v3 impacted HPE StoreVirtual 3000 File Controller - To be determined HPE StoreEasy 1450 Storage - To be determined HPE StoreEasy 1550 Storage - To be determined HPE StoreEasy 1650 Storage - To be determined HPE StoreEasy 1650E Storage - To be determined HPE StoreEasy 3000 Gateway Storage - To be determined HPE StoreEasy 1850 Storage - To be determined HPE Converged Architecture 700 - All currently delivered versions HPE Cloudline CL2100 G3 807S - Prior to DC1F119A (9 Mar 2018) - SKU 811147-B21 or 1A426AP00-600-G HPE Cloudline CL2100 G3 806R (Broadwell) - Prior to DC1F119A (9 Mar 2018) - SKU 811146-B21 or 1A32YP700-600-G HPE Cloudline CL2100 G3 407S/807S (Broadwell) - Prior to 4D4C2130(7 Mar 2018) - SKU 855358-B21 or 1A427PK00-600-G HPE Cloudline CL2100 G3 807S Duplicate - Prior to 4D4C2130(7 Mar 2018) - SKU 855361-B21 or 1A427PJ00-600-G HPE Cloudline CL2100 G3 407S/807S (Haswell) - Prior to 4C4C2100(9 Mar 2018) - SKU 855426-B21 (1A428QN00-600-G) HPE Cloudline CL2200 G3 1211R (Broadwell) - Prior to DC1F109B(14 Mar 2018) HPE Cloudline CL2200 G3 1211R (Haswell) - Prior to 4B4C2100(9 Mar 2018) HPE ProLiant DL580 Gen8 Server - Prior to 2.00_02-22-2018(2 Mar 2018) HPE ProLiant DL385p Gen8 (AMD) - Prior to 2018.03.14(12 Apr 2018) HPE ProLiant DL380p Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant DL360p Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant ML350e Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant ML350e Gen8 v2 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant ML350p Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant ML310e Gen8 Server - Prior to 2018.01.22(5 Mar 2018) HPE ProLiant ML10 v2 Server - Prior to 2018.01.22(23 Feb 2018) HPE ProLiant BL420c Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant DL160 Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant DL560 Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant DL380e Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant DL360e Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant DL320e Gen8 Server - Prior to 2018.01.22(5 Mar 2018) HPE ProLiant DL320e Gen8 v2 Server - Prior to 2018.01.22(23 Feb 2018) HPE ProLiant SL210t Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant SL230s Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant SL250s Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant SL270s Gen8 Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant SL4540 Gen8 1 Node Server - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant BL465c Gen8 Server Blade - Prior to 2018.03.14(12 Apr 2018) HPE Integrity NonStop X NS7 X1 System - To be determined - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action. HPE NonStop CLIM-based Software - NonStop customers see Hotstuff HS03372B - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action. HPE NonStop System Console - NonStop customers see Hotstuff HS03369C - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action. HPE NonStop Virtual TapeServer (VTS) - NonStop customers see Hotstuff HS03374A - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action. HPE NonStop Virtual Tape Repository (VTR) - NonStop customers see Hotstuff HS03371C - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action. HPE NonStop BackBox Virtual Tape Controller (VTC) - NonStop customers see Hotstuff HS03371C - NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action. HPE Moonshot m700 Server Cartridge - All currently delivered versions HPE Moonshot m700p Server Cartridge - All currently delivered versions HPE Synergy Image Streamer - All currently delivered versions HPE GL20 IoT Gateway - All currently delivered versions HPE GL10 IoT Gateway - All currently delivered versions Big Switch OS - To be determined HPE ProLiant BL2x220c G7 Server Blade - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant BL680c G7 Server Blade - Prior to 2018.02.23(16 Mar 2018) HPE ProLiant BL620c G7 Server Blade - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant BL490c G7 Server Blade - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant BL460c G7 Server Blade - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant DL980 G7 Server - Prior to 2018.02.22(17 Mar 2018) HPE ProLiant DL360 G7 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant DL120 G7 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant ML110 G7 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant DL580 G7 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant DL380 G7 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant ML370 G6 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant BL2x220c G6 Server Blade - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant BL490c G6 Server Blade - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant BL460c G6 Server Blade - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant BL280c G6 Server Blade - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant DL380 G6 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant DL370 G6 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant DL360 G6 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant ML350 G6 Server - Prior to v02/22/2018 HPE ProLiant ML330 G6 Server - Prior to 2018.02.22(16 Mar 2018) HPE ProLiant DL320 G6 Server - Prior to 2018.02.22(16 Mar 2018) HPE Integrity MC990 X Server - Prior to 2018.03 (3/17/2018) SGI UV 300, 300H, 300RL, 30EX - Prior to 2018.03 (3/17/2018) HPE AppSystems for SAP HANA - Scale Out Configurations - All currently delivered versions HPE ProLiant DL585 G7 Server (AMD) - Prior to 2018.03.14(12 Apr 2018) HPE ProLiant SL4545 G7 Server (AMD) - Prior to 2018.03.14(A)(12 Apr 2018) HPE ProLiant BL685c G7 Server Blade (AMD) - Prior to 2018.03.14(12 Apr 2018) HPE ProLiant DL180 G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant SL160z G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant ML110 G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant SL160s G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant DL120 G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant ML150 G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant DL160 G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant DL170e G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant DL170h G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant SL170s G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant SL170z G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant SL2x170z G6 Server HPE will not provide a microcode patch. Apply OS vendor patches to mitigate HPE ProLiant DL120 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant DL160 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant DL380 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant m710 Server Cartridge - Prior to 2018.01.22(24 Feb 2018) HPE ConvergedSystem 700 (CS700) - All currently delivered versions HPE ProLiant BL460c Gen8 Server Blade - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant BL660c Gen8 Server Blade - Prior to 2018.01.22(2 Mar 2018) HPE ProLiant XL230a Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant ML350 Gen10 Server - prior to 1.32_02-01-2018(16 Feb 2018) HPE ProLiant XL190r Gen10 Server - prior to 1.32_02-01-2018 (16 Feb 2018) - Includes System ROM Flash Binary and RESTful API BIOS Schemas HPE ProLiant XL170r Gen10 Server - prior to 1.32_02-01-2018 (16 Feb 2018) - Includes System ROM Flash Binary and RESTful API BIOS Schemas HPE ProLiant XL730f Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant DL180 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE ProLiant ML350 Gen9 Server - Prior to 2.56_01-22-2018(23 Feb 2018) HPE Cloudline CL5200 Gen9 Server - Prior to 4H4C2130(3/14/2018) HPE Cloudline CL3100 Gen9 Server - Prior to 2F4C2230(3/7/2018) - Windows and Linux HPE ProLiant SL390s G7 Server - Prior to 2018.02.22(16 Mar 2018) BACKGROUND CVSS Version 3.0 and Version 2.0 Base Metrics Reference V3 Vector V3 Base Score V2 Vector V2 Base Score CVE-2017-5715 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 5.5 (AV:L/AC:M/Au:N/C:C/I:N/A:N) 4.7 CVE-2017-5753 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 5.5 (AV:L/AC:M/Au:N/C:C/I:N/A:N) 4.7 CVE-2017-5754 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 5.5 (AV:L/AC:M/Au:N/C:C/I:N/A:N) 4.7 CVE-2018-3693 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 5.5 (AV:L/AC:M/Au:N/C:C/I:N/A:N) 4.7 Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION Intel has now granted the microcode update for certain G7 and G6 system ROM updates and they are available for download as of March 16, 2018. Intel has now granted the microcode update for certain Gen9 and Gen8 system ROM updates and they are available for download as of February 23, 2018. Intel has now granted the microcode update for Gen10 System ROM updates and they are available for download as of February 20, 2018. On January 11, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for numerous processors including Broadwell, Haswell, Skylake, Kaby Lake, Ivybridge, and Sandybridge processors. Intel has now identified the root cause of these issues and determined that these microcodes may introduce reboots and other unpredictable system behavior. Due to the severity of the potential issues that may occur when using these microcodes, Intel is now recommending that customers discontinue their use. Additional information is available from Intel’s Security Exploit Newsroom here: https://newsroom.intel.com/press-kits/security-exploits-intel-products/ . HPE is in alignment with Intel in our recommendation that customers discontinue use of System ROMs including impacted microcodes and revert to earlier System ROM versions. All System ROMs including impacted microcodes were removed from the HPE Support Site. This impacts HPE ProLiant and Synergy, Gen9, and Gen8 v2 servers as well as HPE Superdome servers for which updated System ROMs had previously been made available. Intel is working on updated microcodes to address these issues, and HPE will validate updated System ROMs including these microcodes and make them available to our customers in the coming weeks. Mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown) vulnerabilities require only OS updates and are not impacted. HPE has provided a customer bulletin https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us with specific instructions to obtain the udpated sytem ROM NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action. Note: CVE-2017-5715 (Variant 2) and SpectreRSB require that the System ROM be updated and a vendor supplied operating system update be applied as well. For CVE-2017-5753, CVE-2017-5754 (Spectre variants 1, 1.2, NetSpectre and variant 3) require only updates of a vendor supplied operating system. For CVE-2018-3693 Spectre variant 1.1 Bounds Check Bypass Stores require only updates of a vendor supplied operating system. HPE will continue to add additional products to the list. HISTORY Version:1 (rev.1) - 4 January 2018 Initial release Version:2 (rev.2) - 5 January 2018 Added additional impacted products Version:3 (rev.3) - 10 January 2018 Added more impacted products Version:4 (rev.4) - 9 January 2018 Fixed product ID Version:5 (rev.5) - 18 January 2018 Added additional impacted products Version:6 (rev.6) - 19 January 2018 updated impacted product list Version:7 (rev.7) - 23 January 2018 Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues Version:8 (rev.8) - 24 January 2018 Added additional impacted products Version:9 (rev.9) - 25 January 2018 Added additional impacted products Version:10 (rev.10) - 25 January 2018 Added additional impacted products, adjusted CVSS score Version:11 (rev.11) - 1 February 2018 Added additional impacted products Version:12 (rev.12) - 13 February 2018 Updated NonStop Product information Version:13 (rev.13) - 16 February 2018 Removed not impacted product Version:14 (rev.14) - 22 February 2018 Updated Gen10 products (for Intel Skylake-SP) with released System Rom Version:15 (rev.15) - 2 March 2018 Updated certain Gen9, and Gen8 products, corrected CVSS vectors Version:16 (rev.16) - 6 March 2018 Added Gen6 and Gen7 Systems Version:17 (rev.17) - 17 March 2018 Updated nonstop information, added CVEs to title Version:18 (rev.18) - 19 March 2018 Added superdome flex resolution, added resolution for certain G6, G7 servers Version:19 (rev.19) - 30 March 2018 Added Cloudline products and adjusted ROM version names to match HPE Support Center Version:20 (rev.20) - 14 April 2018 Added certain AMD processor-based systems Version:21 (rev.21) - 8 May 2018 Updated Superdome X and Superdome Flex Version Information Version:22 (rev.22) - 29 June 2018 HPE will not provide microcode patches for certain ProLiant G6 Systems. Apply OS vendor patches to mitigate Version:23 (rev.23) - 23 July 2019 Added Spectre 1.1 Bounds Check Bypass Store CVE-2018-3693, added Spectre 1.2, SpectreRSB, NetSpectre - these are remediated by the fixes provided by OS vendors Version:24 (rev.24) - 5 May 2020 Added Moonshot m710x to impacted products list Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive System management and security procedures must be reviewed frequently to maintain system integrity. HPE is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HPE is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HPE products the important security information contained in this Bulletin. HPE recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HPE does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HPE will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HPE disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." ©Copyright 2024 Hewlett Packard Enterprise Development LP Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
Scope
None
Resolution
Intel has now granted the microcode update for certain G7 and G6 system ROM updates and they are available for download as of March 16, 2018. Intel has now granted the microcode update for certain Gen9 and Gen8 system ROM updates and they are available for download as of February 23, 2018. Intel has now granted the microcode update for Gen10 System ROM updates and they are available for download as of February 20, 2018. On January 11, Intel announced issues with an increased frequency of reboots when using the microcodes they released to address Variant 2 of the Spectre Vulnerability for numerous processors including Broadwell, Haswell, Skylake, Kaby Lake, Ivybridge, and Sandybridge processors. Intel has now identified the root cause of these issues and determined that these microcodes may introduce reboots and other unpredictable system behavior. Due to the severity of the potential issues that may occur when using these microcodes, Intel is now recommending that customers discontinue their use. Additional information is available from Intel’s Security Exploit Newsroom here: https://newsroom.intel.com/press-kits/security-exploits-intel-products/ . HPE is in alignment with Intel in our recommendation that customers discontinue use of System ROMs including impacted microcodes and revert to earlier System ROM versions. All System ROMs including impacted microcodes were removed from the HPE Support Site. This impacts HPE ProLiant and Synergy, Gen9, and Gen8 v2 servers as well as HPE Superdome servers for which updated System ROMs had previously been made available. Intel is working on updated microcodes to address these issues, and HPE will validate updated System ROMs including these microcodes and make them available to our customers in the coming weeks. Mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown) vulnerabilities require only OS updates and are not impacted. HPE has provided a customer bulletin https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us with specific instructions to obtain the udpated sytem ROM NonStop customers should carefully review all pertinent NonStop Hotstuff notices BEFORE taking any action. Note: CVE-2017-5715 (Variant 2) and SpectreRSB require that the System ROM be updated and a vendor supplied operating system update be applied as well. For CVE-2017-5753, CVE-2017-5754 (Spectre variants 1, 1.2, NetSpectre and variant 3) require only updates of a vendor supplied operating system. For CVE-2018-3693 Spectre variant 1.1 Bounds Check Bypass Stores require only updates of a vendor supplied operating system. HPE will continue to add additional products to the list. HISTORY Version:1 (rev.1) - 4 January 2018 Initial release Version:2 (rev.2) - 5 January 2018 Added additional impacted products Version:3 (rev.3) - 10 January 2018 Added more impacted products Version:4 (rev.4) - 9 January 2018 Fixed product ID Version:5 (rev.5) - 18 January 2018 Added additional impacted products Version:6 (rev.6) - 19 January 2018 updated impacted product list Version:7 (rev.7) - 23 January 2018 Marked impacted products with TBD for System ROM updates per Intel's guidance on microcode issues Version:8 (rev.8) - 24 January 2018 Added additional impacted products Version:9 (rev.9) - 25 January 2018 Added additional impacted products Version:10 (rev.10) - 25 January 2018 Added additional impacted products, adjusted CVSS score Version:11 (rev.11) - 1 February 2018 Added additional impacted products Version:12 (rev.12) - 13 February 2018 Updated NonStop Product information Version:13 (rev.13) - 16 February 2018 Removed not impacted product Version:14 (rev.14) - 22 February 2018 Updated Gen10 products (for Intel Skylake-SP) with released System Rom Version:15 (rev.15) - 2 March 2018 Updated certain Gen9, and Gen8 products, corrected CVSS vectors Version:16 (rev.16) - 6 March 2018 Added Gen6 and Gen7 Systems Version:17 (rev.17) - 17 March 2018 Updated nonstop information, added CVEs to title Version:18 (rev.18) - 19 March 2018 Added superdome flex resolution, added resolution for certain G6, G7 servers Version:19 (rev.19) - 30 March 2018 Added Cloudline products and adjusted ROM version names to match HPE Support Center Version:20 (rev.20) - 14 April 2018 Added certain AMD processor-based systems Version:21 (rev.21) - 8 May 2018 Updated Superdome X and Superdome Flex Version Information Version:22 (rev.22) - 29 June 2018 HPE will not provide microcode patches for certain ProLiant G6 Systems. Apply OS vendor patches to mitigate Version:23 (rev.23) - 23 July 2019 Added Spectre 1.1 Bounds Check Bypass Store CVE-2018-3693, added Spectre 1.2, SpectreRSB, NetSpectre - these are remediated by the fixes provided by OS vendors Version:24 (rev.24) - 5 May 2020 Added Moonshot m710x to impacted products list Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
