ProLiant Servers (ML,DL,SL)
cancel
Showing results for 
Search instead for 
Did you mean: 

Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4

 
ltfciano1
Visitor

Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4

I have servers on a customer site still showing as vulnerable to Spectre Variant #2, this is after applying the June 2018 SPP and the latest Red Hat patches for RHEL 7.4 (We need to stay at RHEL 7.4 for the moment and not jump to RHEL 7.5, for political rather than technical reasons).  Running kernel is 3.10.0-693.37.4.el7.x86_64. 

I have also installed the latest Mellanox firmware.

When running the Red Hat detection script from https://access.redhat.com/security/vulnerabilities/speculativeexecution I get:

Variant #2 (Spectre): Vulnerable: Retpoline with unsafe module(s)
CVE-2017-5715 - speculative execution branch target injection
- Kernel with mitigation patches: OK
- HW support / updated microcode: YES
- IBRS: Not disabled on kernel commandline
- IBPB: Not disabled on kernel commandline
- Retpolines: Not disabled on kernel commandline

$ sudo cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Retpoline with unsafe module(s)

One server shows:

$ awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found; close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}' /proc/modules
VULNERABLE - No Retpoline found - knem
VULNERABLE - No Retpoline found - tg3

Another returns:

$ awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found; close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}' /proc/modules
VULNERABLE - No Retpoline found - knem
VULNERABLE - No Retpoline found - mst_pciconf
VULNERABLE - No Retpoline found - mst_pci
VULNERABLE - No Retpoline found - tg3
VULNERABLE - No Retpoline found - hpsa

I have raised two HPE support cases, created a case with Red Hat and reported to the HPE vulnerability team.

Does anyone have experience in this area? What am I missing?

Looking at 'knem' for example I have July 2018 builds installed.

$ rpm -qi kmod-knem-1.1.3.90mlnx1-OFED.4.3.0.1.4.1.g8cf97c1.rhel7u4.x86_64

Name        : kmod-knem

Build Date  : Tue 03 Jul 2018 04:52:54 AM EDT

$ rpm -qi kmod-knem-1.1.3.90mlnx1-OFED.4.3.0.1.4.1.g8cf97c1.rhel7u4.x86_64

Name        : kmod-knem

Build Date  : Tue 03 Jul 2018 04:52:54 AM EDT

 

Thanks in advance,

Ian

3 REPLIES 3
Kashyap02
HPE Pro

Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4

Hi, 

Please refer to the below advisory links. 

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00048185en_us 

https://access.redhat.com/security/vulnerabilities/speculativeexecution 

You have to install the updated drivers . The drivers are included in the custom SPP which can be obtained from http://retpoline.linux.hpe.com/


From,

HPE Technical Team Member

I am a HPE Employee

Accept or Kudo

ltfciano1
Visitor

Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4

Thanks for the links Kashyap02, I don't know why suppport didn't provide these.

It's helped as tg3 and hpsa are no longer showing as vulnerable, but Mellanox drivers/firmware are still reporting:

$ awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found;  close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}' /proc/modules

VULNERABLE - No Retpoline found - knem

VULNERABLE - No Retpoline found - mst_pciconf

VULNERABLE - No Retpoline found - mst_pci

This is despite installing the latest drivers I can locate on hpe.com and mellanox.com.

Kashyap02
HPE Pro

Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4

Below is the Mellanox Infiniband and Ethernet driver for RHEL. 

https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_b15d40146fdb40d5a558ccb08b#tab-history 

Verify the latest version is installed. If yes, I would suggest you to provide the below details and open a support ticket with HPE. 

1. NIC details

2. Firmware and drivers installed

3. Vulnerability check result. 

Thank you. 
I am an HPE Employee

I am a HPE Employee

Accept or Kudo