If you are running your workload Oracle Cloud (Compute, Databases), read this complete blog and apply the patches as recommended.

Recently Intel has identified a Vulnerability in their processors which they named as Microarchitectural Data Sampling (MDS) Vulnerability and due to which Intel CPUs may allow information disclosure and one can easily enter your system by using some malicious codes.

This post covers things you must know about Microarchitectural Data Sampling (MDS) Vulnerability & what Oracle Recommends to mitigate this.

What is Microarchitectural Data Sampling (MDS) Vulnerability?

It is referred to as Microarchitectural Data Sampling issues (MDS issues) because they refer to issues related to microarchitectural structures of the Intel processors other than the level 1 data cache and one can easily run some malicious code against these and can enter your system and Intel has rated this Vulnerability as severity medium.

These vulnerabilities have received the following CVE identifiers, where CVE stands for The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information security vulnerabilities and exposures

• CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
• CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
• CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)
• CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)

Where vulnerability CVE-2019-11091 has received a CVSS Base Score of 3.8, the other vulnerabilities have all been rated with a CVSS Base Score of 6.5.  Where CVSS stands for Common Vulnerability Scoring System

Oracle Recommendation to Intel Microarchitectural Data Sampling (MDS) Vulnerabilities

Oracle Hardware

• Oracle suggests the administrators of x86-based Systems to carefully analyze the impact of MDS on their system, and accordingly implement all the security mitigations such as applying OS patches released for these vulnerabilities.
• If you are using Oracle Engineered System such as Exadata Machine, Database Appliance, SuperCluster, etc Oracle will give you the specific guidance.

Oracle Operating Systems (Linux and Solaris) and Virtualization

• If you are using  Oracle Linux 7, Oracle Linux 6, &  Oracle VM Server for X86 Products you should immediately apply the OS patches released by Oracle for this Vulnerabilities, in addition to that you should also run the current version of the Intel microcode to mitigate these issues (#  yum update microcode_ctl ).
• The required versions of microcode_ctl rpms are Oracle Linux 7: microcode_ctl 2.1-47.0.4 & Oracle Linux 6: microcode_ctl 1.17-1002
• For Oracle Linux customer you can use Oracle Ksplice tool to patch the OS with zero downtime. To know more check here
• If you are using Oracle Solaris on x86 then it is affected by these vulnerabilities. For more information check  Doc ID 2540621.1 
• If you are running your workload on Oracle Solaris on  SPARC, then no action required from your end, as it is not affected by this Vulnerabilities.

Oracle Cloud

• If you are using Oracle Autonomous Database (ATP & ADW) then no action required for this Vulnerabilities. To know more about Autonomous Database check here
• If you are using Bare Metal Instances and using your own virtualization stack on top of it then you should review the Intel recommendations about these MDS vulnerabilities and make the recommended changes to their configurations.
• If you are using VM Instances, then you should patch OS to the latest security patch released by Oracle. To know how to patch please check here
• For Zero Downtime Patching in Oracle Cloud, you can use Oracle Ksplice only available for Oracle Linux Images, to know how to configure check  here
• Note: If you are using third party OS, then you should reach out to them for these vulnerabilities patches.
• If you are running your DB System on Virtual Machine or Bare Metal, you should apply the latest OS Patches, to know how to apply  the OS patch to DB System check here
• For Exadata DB systems, apply the OS patches following the instructions in Updating an Exadata DB System.
• If you are using Oracle Cloud Infrastructure Classic and Oracle Platform Service on Oracle Cloud Infrastructure Classic then Oracle will be performing mandatory maintenance for Infrastructure and Platform Services on Oracle Cloud Infrastructure Classic, so no action required from customer ends.

Steps To Install OS Security Patches For MDS Vulnerabilities in Bare Metal & VM Instance with Downtime

Step1: Install the latest microcode released by Intel

# sudo yum update microcode_ctl

The required versions of microcode_ctl rpms are:

• Oracle Linux 7: microcode_ctl 2.1-47.0.4
• Oracle Linux 6: microcode_ctl 1.17-1002

Step2: Install the latest security patches  run the following command:

Note: yum-plugin-security package allows you to use yum to obtain a list of all errata that are available for your system, including security updates.

# sudo yum  install yum-plugin-security

Step3: Use the –cve option to display the errata that correspond to a specified CVE, and to install those required packages, by running the following commands:

# sudo yum updateinfo list –cve CVE-####-#####

#sudo yum update –cve CVE-####-####

As Intel has identified 4 different Vulnerabilities so the command should be  like mentioned below:

To list all rpms for each  Vulnerabilities

sudo yum updateinfo list –cve CVE-2019-11091
sudo yum updateinfo list –cve CVE-2018-12126
sudo yum updateinfo list –cve CVE-2018-12127
sudo yum updateinfo list –cve CVE-2018-12130

To update rpms for each  Vulnerabilities

sudo yum update –cve CVE-2019-11091
sudo yum update –cve CVE-2018-12126
sudo yum update –cve CVE-2018-12127
sudo yum update –cve CVE-2018-12130

A system reboot will be required once the package is applied.

To know how to apply OS Patches in Oracle Linux Images using ksplice without downtime, check here.

Step4: After the system reboots, ensure that the following file is populated:

cat /sys/devices/system/cpu/vulnerabilities/mds

Hope you find this blog useful and make sure you update and apply all the security patches as recommended in order to mitigate this Microarchitectural Data Sampling (MDS) Vulnerabilities and comment in the blog & let us if you have any query regarding this Vulnerabilities.

References

• Microarchitectural Data Sampling Advisory
• Intel MDS Vulnerabilities: CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127: Intel Processor Microcode Availability (Doc ID 2540606.1)
• Intel MDS (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127) Vulnerabilities in Oracle x86 Servers (Doc ID 2540621.1)
• Intel MDS Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, & CVE-2019-11091): Oracle Solaris Impact (Doc ID 2540522.1)
• Oracle Cloud Security Response to Intel Microarchitectural Data Sampling (MDS) Vulnerabilities
• Oracle Cloud Infrastructure Customer Advisory for MDS Impact on the Compute Service
• Oracle Cloud Infrastructure Customer Advisory for MDS Impact on the Database Service

Related/Further Readings

• Autonomous Database 
• Compute (Bare Metal & VM)
• [Video] Create Compute (Linux/Windows Machine) On Oracle Cloud (OCI)
• Databases In Oracle Cloud Infrastructure

Begin Your Cloud Journey

Begin your journey towards becoming an Oracle Cloud Expert and earn a lot more in 2024 by joining our FREE CLASS. You will also know more about the Roles and Responsibilities, Job opportunities for OCI Architects, Admins in the market, and what to study Including Hands-On labs you must perform to get the Higher Paying jobs.

Click on the below image to Register for Our FREE Class on MASTERING ORACLE CLOUD FOR DBAs, APPs DBAs, ARCHITECTS & SYS ADMINS