Alliances
1748180 Members
4296 Online
108759 Solutions
New Article ๎ฅ‚
Willa

Speculative Execution vulnerability: frequently asked questions

You may have heard of a recently identified industry-wide vulnerability that involves modern microprocessor architectures. Based on new security research, there are software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed.


Often referred to as the Side-Channel Analysis Method, or Spectre and Meltdown, this vulnerability impacts microprocessor architectures from multiple CPU vendors, including Intel, AMD, and ARM. To address this vulnerability, hardware and software vendors from across the industry, including HPE and Microsoft, have been working together to publish the appropriate resolutions.


At HPE, the security of our products is our top priority and we continue to work proactively with OS and microprocessor vendors to develop software and firmware updates to mitigate the microprocessor vulnerability.


Last month, we published a blog that discussed mitigation and resolution resources for this vulnerability, which may include updates to both the server operating system (OS) as well as the HPE ProLiant server's system ROM.

Read, โ€œResources to help mitigate Speculative Execution vulnerability in Intel and other processorsโ€ for guidance on where to obtain Microsoft OS and HPE System ROM updates.


We have received many questions about this vulnerability, so today, we wanted to take a moment to highlight and answer some of the frequently asked questions.


1. Does the microprocessor vulnerability affect all technology vendors or is this exclusive to HPE?
The microprocessor vulnerability affects all technology vendors using modern microprocessors and is not specific to HPE. All products and solutions impacted by this vulnerability require the appropriate operating system and ROM updates. Intel has stated that Itanium processors are not impacted by the Side-Channel Analysis vulnerability.


2. Which HPE products and solutions are impacted?
Any HPE products that include affected microprocessors are potentially vulnerable. To determine if your HPE products and solutions are affected, please go to the HPE Vulnerability Website. HPE will update the list of all systems as needed.


3. Is the microprocessor vulnerability due to an active attack or breach?
No, there have been no known attacks. This microprocessor vulnerability is due to a design flaw, which when analyzed via the side-channel methodology, can enable someone to deduce data. Applying the appropriate operating system and microprocessor updates for your HPE systems mitigates the risk associated with this vulnerability.


4. What is the magnitude of the security vulnerability?
New security research identified software analysis methods that, when used maliciously, have the potential to improperly gather sensitive data from computing devices that are operating as designed. For more information, reference the following common vulnerability exposures: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754.


5. What is the resolution?
Resolution of this vulnerability requires both an operating system update, provided by the OS vendor, and a System ROM update from HPE. Depending on which HPE systems you are running, you can find instructions on appropriate actions to take on the HPE Vulnerability Website.

- If you are an HPE Pointnext customer and believe you are running an impacted system, contact your Support representative.

- If you are an HPE Storage customer, you can find instructions on appropriate actions to take on the HPE Vulnerability Website. HPE Storage product resolution procedures may differ from HPE server product remedies. Please consult the HPE Vulnerability Website for Storage details.

- For software products like StoreVirtual VSA, StoreOnce VSA, RMC, and other software titles running on x86 based servers, you are advised to refer to communications from your x86 server vendor.


6. Is it an obligation to have an active contract or warranty for downloading and installing HPE System ROM updates?
No. We are waiving the entitlement check for HPE System ROM updates for products and solutions impacted by this vulnerability, when available.


7. Which operating systems are impacted?
Windowsยฎ, Linuxยฎ, and VMwareยฎ are impacted. Operating system vendors are providing OS patching updates. Based on current communication from Intel, Itanium is not impacted and thus HP-UX, OpenVMS, and the NonStop OS on NonStop J-series and H-series systems are not affected.

The NonStop OS on NonStop L-series systems run on x86 processors and are affected. In addition, the CLIMs and NSCs in NonStop systems run on x86 processors, and the Linux and Window OSs on these NonStop system components are affected.

For additional information, HPE recommends contacting operating system vendors: Microsoftยฎ, VMware, SUSE, and Red Hatยฎ.


8. Which microprocessors are impacted?
Most microprocessors with modern architectures can be impacted by the Side-Channel Analysis Method. Intel and AMD have proactively contacted HPE and are actively working with HPE to provide resolutions. Intel has stated that Itanium processors are not impacted by the Side-Channel Analysis vulnerability. For all other microprocessor vendors, contact the processor vendor for more information.


9. Are other hardware manufacturers impacted?
All hardware manufacturers as well as public cloud service providers that use affected modern microprocessor architectures are potentially impacted. Mobile phones and client computers may also be impactedโ€”refer to providers of those products for more details.


10. After I patch my systems, will there be an associated impact to performance?
In most cases, we expect performance impact will typically be minimal but will vary with OS and workload. HPE and our OS and microprocessor partners will continue to monitor and characterize potential performance impacts over time and provide further guidance as data is made available.


11. What does this microprocessor vulnerability mean for HPE ProLiant and HPE Synergy Gen10 servers, the World's Most Secure Industry Standard Servers?1
The microprocessor vulnerability is a flaw in modern microprocessors: however, there are no known attacks associated with this vulnerability.

HPE Gen10 servers have the only genuine Silicon Root of Trust technology; this custom-designed silicon from HPE provides unprecedented protection from firmware attacks. Notwithstanding our enhanced security features, with regard to this particular vulnerability, customers still need to apply all recommended updates and follow security best practices.


12. What does this microprocessor vulnerability mean for customers considering buying HPE products?
You can be confident that HPE compute solutions are world-class in security and quality. The discovery of this industry-wide microprocessor vulnerability, should have no impact on your decision to purchase HPE solutions. HPE will continue to work with Intel, AMD, and ARM to ensure that the resolutions needed for the microprocessors used in our products are a top priority. Furthermore, when the microprocessor updates are applied and combined with HPEโ€™s Silicon Root of Trust technology, found only in HPE Gen10 servers, our customers can be assured that their compute platform meets the industry's highest security standards.


13. Will HPE provide more updates regarding this vulnerability?
Yes, HPE will continue to post updates as more information and details become available. You can refer to the HPE Vulnerability Website.


14. HPE recently had the System ROM updates available for HPE ProLiant, HPE Synergy, HPE Superdome Flex, and HPE Superdome X server products. Why can't I find them now?
HPE ProLiant DL385 Gen10 updates are still available. However, we are alerting our customers to an Intel statement published 22 January 2018 regarding issues associated with the Intel microcode patch designed to address the Side-Channel Analysis vulnerability. Intel recommends that customers stop deployment of System ROMs including this microcode patch and revert to their previous version of System ROM to avoid introducing unpredictable system behavior.

As a result, HPE has removed existing System ROM updates for HPE ProLiant, HPE Synergy, HPE Superdome Flex, and HPE Superdome X server products from our HPE Support site. Updated revisions of the System ROMs for these platforms will be made available by HPE after Intel provides updated microcodes.


15. Which HPE server generations will receive System ROM updates which include microcodes to enable mitigation of the Side Channel Analysis Method vulnerability?
HPE is committed to working closely with microprocessor vendors to provide System ROM updates for Gen10, Gen9, Gen8, G7, and older HPE server generations as microcode updates are made available by processor vendors.

 

Have more questions? Check out the HPE customer guidance pack- microprocessor vulnerability 2018. This HPE document is a guidance package for customers designed to simplify the task of mitigating risk from this vulnerability. It includes step-by-step instructions and a compilation of important links to the most common operating system (OS) and microcode updates used with the current HPE server generations. HPE also recommends that our customers review statements published by the microprocessor vendors: Intel, AMD, and ARM.


Want to be a part of the conversation? Join the Coffee Coaching community to keep up with the latest HPE OEM Microsoft news and interact with HPE and Microsoft experts.

Follow us on Twitter | Join our LinkedIn group | Like us on Facebook | Watch us on YouTube | Email us a question

 

1 Based on external firm conducting cyber security penetration testing of a range of server products from a range of manufactures, May 2017.

About the Author

Willa

Willa manages the HPE | Microsoft Coffee Coaching program. Follow along to learn more about the latest HPE OEM Microsoft product releases and how the HPE Microsoft partnership can benefit partners and customers.