ProLiant Servers (ML,DL,SL)
cancel
Showing results for 
Search instead for 
Did you mean: 

Proliant ML350 Gen9 with latest BIOS still listed as vulnerable to CVE-2017-5715

 
SOLVED
Go to solution
Josh Trout
Occasional Contributor

Proliant ML350 Gen9 with latest BIOS still listed as vulnerable to CVE-2017-5715

Looking to get a Proliant ML350 Gen9 all patched to protect against the recent speculative threats.

It runs multiple Windows Server 2016 VM's under VMWare (HPE-ESXi-6.5.0-Update1-iso-650.U1.10.1.5.26 (Hewlett Packard Enterprise)).

We updated the BIOS to the latest version of May 20, 2018. P92 Version 2.60

Running a check of the mitigation status in Powershell lists us as still vulnerable to CVE-2017-5715 [branch target injection] due to out of date BIOS/firmware.

Does BIOS P92 Version 2.60 still not protect against this vulnerability? 

Proliant_Mitigation.PNG

 

 

2 REPLIES 2
salmansidd
HPE Pro
Solution

Re: Proliant ML350 Gen9 with latest BIOS still listed as vulnerable to CVE-2017-5715

Please review the customer bulletin
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us

SUPPORT COMMUNICATION - CUSTOMER BULLETIN
Document ID: a00039267en_us
Version: 15
Bulletin: (Revision) HPE ProLiant, Moonshot and Synergy Servers - Side Channel Analysis Method Allows Improper Information Disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

For CVE-2017-5715 mitigation, both OS Update and microcode update are required.

Name                              CVE Number                   OS Update Required         Microcode Required
Variant 1 Spectre           CVE-2017-5753                Yes                                      No
Variant 2 Spectre           CVE-2017-5715                Yes                                      Yes
Variant 3 Meltdown       CVE-2017-5754               Yes                                       No

 Review VMware article for more details
https://kb.vmware.com/s/article/52245
VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754, and CVE-2018-3693 (aka Spectre and Meltdown) (52245)


Action Requested
==================
Update Bios - 2.60
Update OS using VMware-ESXi-6.5.0-Update1-7388607-HPE-650.U1.10.2.0.23-Feb2018.iso

Run the scan and if the issue still persists , Log a case with HPE Support.

NOTE: I am an HPE Employee

Josh Trout
Occasional Contributor

Re: Proliant ML350 Gen9 with latest BIOS still listed as vulnerable to CVE-2017-5715

Had to bump the VMWare OS to HPE ESXi 6.5.0 Update 2, but that brought the mitigations online as we needed.