topic Re: Intel CPU vunerabilities Proliant DL360 in Servers - General

Intel CPU vunerabilities Proliant DL360

Neko- — Tue, 05 Jul 2022 05:37:21 GMT

I was made aware of two updates Intel released for their CPU's to address two vunerabilities.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00645.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html

I found a few of our servers (mostly the Proliant DL360 models of various generations) have their CPU listed as affected for both vunerabilities, and all are mentioned as fixed in software: Mitigation implemented in software, and software updates needed to enable mitigation

The DL360 G10 however also mentions a microcode update being required.

I am however unsure what 'software' update (or even microcode update) would actually mitigate these vunerabilities. Does anyone have any insight?

Re: Intel CPU vunerabilities Proliant DL360

Suman_1978 — Thu, 30 Jun 2022 07:20:13 GMT

Hi,

For example in DL360 Gen10, these vulnerability is addressed in the form of BIOS update.
Please refer to Revision History for a list of fixes.

Thank You!

I work with HPE but opinions expressed here are mine.
Recent Support Video Releases

Re: Intel CPU vunerabilities Proliant DL360

Neko- — Thu, 30 Jun 2022 10:00:15 GMT

The intel documentation refers to BOTH software and microcode updates being needed for the DL360 G10. So just updating the BIOS wouldn't sort the problem fully. That still leaves the software component.

And since that software component is the ONLY bit applicable to our DL360 G9 servers, that still leaves me with a question on how to sort this vunerability on all systems.

Re: Intel CPU vunerabilities Proliant DL360

Neko- — Mon, 04 Jul 2022 07:38:39 GMT

Seems HPE started a case for this (according to a PM I got)...

Curious how this is going to proceed

Re: Intel CPU vunerabilities Proliant DL360

Kashyap02 — Tue, 05 Jul 2022 04:05:15 GMT

Hi,
Please find the below details.

INTEL-SA-00615 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
Affected BIOS version of DL360 Gen10 Prior to 2.66_05_17_2022

Answer:
Please find the document for vulnerability with CVE-2022-21123
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04320en_us

Actions: Upgrade the BIOS to 2.66 (latest available)

Download Link: https://support.hpe.com/connect/s/softwaredetails?softwareId=MTX_fbd553aa2bd344f3b83abf7e10&language=en_US&tab=releaseNotes

In regard to CVE-2022-21180, I request you to raise a ticket with HPE Support with the below details as it requires further investigation. We have not found any document related to this vulnerability.

1. Serial number of the server on which this Vulnerability (CVE-2022-21180) is reported.
2. Scanner name and scan report.

Re: Intel CPU vunerabilities Proliant DL360

Neko- — Wed, 06 Jul 2022 07:29:16 GMT

@Kashyap02

BIOS noted... That _should_ be scheduled for the oncoming night on the DL360G10. (going from 2.50 to 2.66)

Still leaves the question what software Intel is referring to, to remedy the vunerability... but I'm suspecting that would likely be a question outside of HP's scope...