- Community Home
- >
- Servers and Operating Systems
- >
- ProLiant
- >
- ProLiant Servers (ML,DL,SL)
- >
- Vulnerability to Spectre Variant #2 after patching...
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
08-30-2018 02:21 AM
08-30-2018 02:21 AM
Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4
I have servers on a customer site still showing as vulnerable to Spectre Variant #2, this is after applying the June 2018 SPP and the latest Red Hat patches for RHEL 7.4 (We need to stay at RHEL 7.4 for the moment and not jump to RHEL 7.5, for political rather than technical reasons). Running kernel is 3.10.0-693.37.4.el7.x86_64.
I have also installed the latest Mellanox firmware.
When running the Red Hat detection script from https://access.redhat.com/security/vulnerabilities/speculativeexecution I get:
Variant #2 (Spectre): Vulnerable: Retpoline with unsafe module(s)
CVE-2017-5715 - speculative execution branch target injection
- Kernel with mitigation patches: OK
- HW support / updated microcode: YES
- IBRS: Not disabled on kernel commandline
- IBPB: Not disabled on kernel commandline
- Retpolines: Not disabled on kernel commandline
$ sudo cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Retpoline with unsafe module(s)
One server shows:
$ awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found; close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}' /proc/modules
VULNERABLE - No Retpoline found - knem
VULNERABLE - No Retpoline found - tg3
Another returns:
$ awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found; close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}' /proc/modules
VULNERABLE - No Retpoline found - knem
VULNERABLE - No Retpoline found - mst_pciconf
VULNERABLE - No Retpoline found - mst_pci
VULNERABLE - No Retpoline found - tg3
VULNERABLE - No Retpoline found - hpsa
I have raised two HPE support cases, created a case with Red Hat and reported to the HPE vulnerability team.
Does anyone have experience in this area? What am I missing?
Looking at 'knem' for example I have July 2018 builds installed.
$ rpm -qi kmod-knem-1.1.3.90mlnx1-OFED.4.3.0.1.4.1.g8cf97c1.rhel7u4.x86_64
Name : kmod-knem
Build Date : Tue 03 Jul 2018 04:52:54 AM EDT
$ rpm -qi kmod-knem-1.1.3.90mlnx1-OFED.4.3.0.1.4.1.g8cf97c1.rhel7u4.x86_64
Name : kmod-knem
Build Date : Tue 03 Jul 2018 04:52:54 AM EDT
Thanks in advance,
Ian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-02-2018 09:40 PM
09-02-2018 09:40 PM
Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4
Hi,
Please refer to the below advisory links.
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00048185en_us
https://access.redhat.com/security/vulnerabilities/speculativeexecution
You have to install the updated drivers . The drivers are included in the custom SPP which can be obtained from http://retpoline.linux.hpe.com/
From,
HPE Technical Team Member
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-03-2018 03:44 AM
09-03-2018 03:44 AM
Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4
Thanks for the links Kashyap02, I don't know why suppport didn't provide these.
It's helped as tg3 and hpsa are no longer showing as vulnerable, but Mellanox drivers/firmware are still reporting:
$ awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found; close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}' /proc/modules
VULNERABLE - No Retpoline found - knem
VULNERABLE - No Retpoline found - mst_pciconf
VULNERABLE - No Retpoline found - mst_pci
This is despite installing the latest drivers I can locate on hpe.com and mellanox.com.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-13-2018 11:57 PM
09-13-2018 11:57 PM
Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4
Below is the Mellanox Infiniband and Ethernet driver for RHEL.
https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_b15d40146fdb40d5a558ccb08b#tab-history
Verify the latest version is installed. If yes, I would suggest you to provide the below details and open a support ticket with HPE.
1. NIC details
2. Firmware and drivers installed
3. Vulnerability check result.
Thank you.
I am an HPE Employee
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP