The H3C Technical Solution Bulletin for Microprocessors Security Vulnerability(CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

The H3C Technical Solution Bulletin for Microprocessors Security Vulnerability(CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

 

Background

Recently, the microprocessor manufacturers have exposed some serious security vulnerabilities, These vulnerabilities are result of microprocessor an underlying design flaw. They may impact all mainstream products of microprocessors. The vulnerability numbers are Meltdown (CVE-2017-5754), Spectre (CVE-2017-5753 and CVE-2017-5715).

 

Impact

It may potentially leading to information disclosure and elevation of privilege.

 

H3C Products

H3C R&D team quickly investigated the H3C products after the vulnerabilities were publicly disclosed.

 

We found below products are in impact scope:

l  CAS

l  Cloud desktop, Cloud class series products

l  H3CloudOS

l  Distributed Storage

l  H3C Server products

l  Part of Business software productsADCAMADCARU-CenterAOMSOC

l  Part of NFV productsVBRASSOVNFMNFVOVNF1000 series products

l  SDNvSwitchSDN Controller and License Server

l  SDN WAN productsAD-WAN

l  Big Data software

l  Middle and low end router OAP single board

l  VCX(End of support on Dec 2017)

 

We also confirmed below products are not impacted by these vulnerabilities:

A. Based Comware platform products, the below are not impacted:

l  Park core switch products

l  Data center switch products

l  Park access switches

l  Security products

l  Wireless products

l  High-end routers

l  Middle and low end router products

l  Core router products

l  VNF2000 series products (VSR/VBRAS/vFW/vLB/vAC/vLNS)

B. Non Comware platform products, the below are not impacted:

l  Part of the business software products (iMC, ADDC)

l  Intelligent Terminal

 

C. Comware platform software:

l  ComwareV5 running in kernel state are not affected, and does not involve this vulnerabilities.

l  ComwareV7 , all the products that run the ComwareV7 platform are not affected and do not involve these vulnerabilities.

 

HPE Products

HPE confirm that the following products are impacted:

l  HPE ProLiant ML30 Gen9 Server, HPE ProLiant DL20 Gen9 Server, HPE Synergy 480 Gen9 Compute Module, HPE Synergy 660 Gen9 Compute Module, HPE ProLiant m710x Server Cartridge, HPE ProLiant XL270d Gen9 Special Server, HPE ProLiant MicroServer Gen10, HPE ProLiant DL360 Gen10 Server, HPE ProLiant BL460c Gen10 Server Blade, HPE Synergy 660 Gen10 Compute Module, HPE Synergy 480 Gen10 Configure-to-order Compute Module, HPE ProLiant DL380 Gen10 Server, HPE ProLiant DL560 Gen10 Server, HPE ProLiant XL230k Gen10 Server, HPE ProLiant XL170r Gen10 Server, HPE ProLiant XL190r Gen10 Server, HPE Apollo 2000 System, HPE ProLiant DL120 Gen10 Server, HPE ProLiant DL160 Gen10 Server, HPE ProLiant DL180 Gen10 Server, HPE ProLiant DL580 Gen10 Server, HPE ProLiant ML110 Gen10 Server, HPE ProLiant ML350 Gen10 Server, HPE Apollo 4510 System, HPE ProLiant XL450 Gen10 Server, HPE ProLiant DL385 Gen10 Server, HPE Apollo 6000 DLC System, HPE ProLiant DL320e Gen8 v2 Server, HPE ProLiant DL320e Gen8 v2 Server, HPE ProLiant ML310e Gen8 v2 Server, HP ProLiant XL220a Gen8 v2 Server, HPE ProLiant DL160 Gen9 Server, HPE ProLiant DL180 Gen9 Server, HPE ProLiant DL360 Gen9 Server, HPE ProLiant BL460c Gen9 Server Blade, HPE ProLiant DL380 Gen9 Server, HPE ProLiant ML350 Gen9 Server, HP ProLiant BL460c Gen9 Server Blade, HPE ProLiant XL230a Gen9 Server, HPE ProLiant DL120 Gen9 Server, HPE ProLiant ML150 Gen9 Server, HPE ProLiant DL60 Gen9 Server, HPE ProLiant DL80 Gen9 Server, HPE ProLiant DL160 Gen9 Special Server, HPE ProLiant ML10 v2 Server, HPE ProLiant ML110 Gen9 Server, HPE ProLiant XL170r Gen9 Server, HPE ProLiant WS460c Gen9 Workstation, HPE ProLiant DL580 Gen9 Server, HP ProLiant DL580 Gen9 Server, HP ProLiant BL660c Gen9 Server, HPE ProLiant DL560 Gen9 Server, HPE ProLiant XL450 Gen9 Server, HPE ProLiant m710p Server Cartridge

 

l  ProLiant ML10 Gen8 server, ProLiant ML310e Gen8 server, ProLiant Microserver Gen8, ProLiant XL260a Gen9 server, HPE Synergy 620 Gen9 node, HPE Synergy 480 Gen9 node, ProLiant Thin Micro TM200, ProLiant m510 server, ProLiant m300 server, ProLiant m350 server, ProLiant DL160 Gen8, ProLiant DL320e Gen8, ProLiant DL360e Gen8, ProLiant DL360p Gen8, ProLiant DL380e Gen8, ProLiant DL380p Gen8, ProLiant DL560 Gen8, ProLiant DL580 Gen8, ProLiant ML350e Gen8, ProLiant ML350p Gen8, ProLiant SL230s Gen8, ProLiant SL250s Gen8, ProLiant SL270s Gen8, ProLiant BL420c Gen8, ProLiant BL460c Gen8, ProLiant BL660c Gen8, ProLiant SL210t Gen8

 

l  Three BCS Integrity servers using Intel Xeon CPU: Integrity MC990x, Integrity Superdome X, Superdome Flex.And the corresponding SAP HANA solution products: HPE ConvergedSystem 900 for SAP HANA Scale-up configurations (Intel Haswell architecture), HPE Superdome X Scale-up / Scale-out TDI configurations (Intel Haswell architecture)HPE Integrity MC990 X TDI Compute Block with the Intel Xeon E7-88XXv4

 

l  All HPE hyperconverged systems: HC250 and Simplivity 380: HPE SimpliVity 380 Gen9 Nodes, HPE SimpliVity 380 Gen10 Nodes, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for DELL, SimpliVity OmniStack for Lenovo, HPE Hyper Converged 250 for VMware vSphere, HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard, Hyper Converged 380

 

l  File controller servers: 3PAR StoreServ File Controller v3, StoreVirtual 3000 File Controller

 

l  Non-Stop servers: HPE Integrity Nonstop X CPUs (x86), HPE NonStop System Consoles, HPE Integrity Nonstop X CPUs (x86), HPE Integrity Nonstop X CPUs (x86).

 

l  NAS storage products: StoreEasy 1450, StoreEasy 1550, StoreEasy 1650, StoreEasy 1650E, StoreEasy 1850, StoreEasy 3850.

 

HPE confirmed in impact scope but no security risk products:

l  Enterprise Storage ProductsNimble Storage 3PAR StoreServ 7xxx3PAR StoreServ 8xxx3PAR StoreServ 9xxx3PAR StoreServ 10xxx3PAR StoreServ 20xxx3PAR StoreServ Service Processor DL120 G83PAR StoreServ Service Processor DL320e G83PAR StoreServ Service Processor DL120 G9 v33PAR StoreServ Service Processor DL120 G9 v43PAR StoreServ Service Processor DL360e G8XP7 Gen1 and Gen2 SVP & MPStoreOnce 3100StoreOnce 3520StoreOnce 3540StoreOnce 5100StoreOnce 5500StoreOnce 6600StoreOnce 2700 capacity upgrades onlyStoreOnce 2900 capacity upgrades onlyStoreOnce 4500 capacity upgrades onlyStoreOnce 4700 capacity upgrades onlyStoreOnce 4900 capacity upgrades onlyStoreOnce 6500 capacity upgrades onlyStoreOnce D2D2502iStoreOnce D2D2504iStoreOnce D2D4106iStoreOnce D2D4106fcStoreOnce D2D4112StoreOnce D2D4312StoreOnce D2D4324StoreOnce 2620 iSCSIStoreOnce 4210 iSCSIStoreOnce 4220StoreOnce 4420StoreOnce 4430StoreOnce B6200MSA 1040MSA 2040MSA 2042MSA 1050MSA 2050MSA 2052MSA  P2000 G3StoreVirtual 3200StoreVirtual 4130StoreVirtual 4330StoreVirtual 4330 FCStoreVirtual 4335StoreVirtual 4530StoreVirtual 4730StoreVirtual 4730 FCStoreVirtual 4630XP P9500 SVP & MPXP24000/20000 & MP

 

HPE confirmed not in impact scope products:

l  HPE Itanium CPU is not impacted by these vulnerabilities, these servers do not involveHPE Integrity BL860c,BL870c, BL890c i2HPE Integrity BL860c, BL870c, BL890c i4HPE Integrity BL860c,BL870c, BL890c i6HPE Integrity rx2800 i6,HPE Integrity rx2800 i4HPE Integrity  rx2800 i2HPE Integrity BL860cHPE Integrity BL870cHPE Integrity rx6600/rx3600HPE Integrity rx2660HPE 9000 Superdome sx1000/sx2000HPE Integrity NonStop i CPUs (Itanium)HP Integrity Superdome 2 CB900s i6, i4 & i2 Server

 

Solution for H3C Products

 

Since the microprocessor vulnerabilities was released, H3C R&D team is the first time to follow up, carry out the principle analysis and repair measures research of the vulnerabilities, and confirm that the security vulnerabilities can be effectively fixed by the version upgrades. H3C R&D team is currently traversal testing the functional and performance of the fixed underlying software in the laboratory. H3C R&D team will continue to keep up with the latest information on microprocessors security vulnerabilities and make more comprehensive protection for the security of H3C products.

 

l  CAS

For E0306 series the latest update version E0306H19 has been published on Jan, 15th 2018

For E050X series the latest update version will be published on Jan, 29th 2019 version number is to be confirmed.

 

l  Cloud desktop, Cloud class series products

We will post the update version shortly the version number is to be confirmed

 

l  H3CloudOS

The latest version will be posted before Mid Jan.2018. The version number is to be confirmed.

 

l  Distributed Storage

H3C UniStor X10000 the latest update version will be published before Mar.2018. Version number is to be confirmed.

H3C ONEStor2.0/1.0 Separation Deployment involves the OS, the 2.0 version will been published before Mar. 2018 , it will fix the issue. The version number is to be confirmed.

 

l  H3C Server products

For R4900/R390X G2 products we plan to publish a new BIOS version before Apr.2018.

For R4900/R4700/R2900/R2700 G3 products we plan to publish a new BIOS version before Apr. 2018.

For H3C Flex server, H3C UIS G2 server, H3C Converged Fabric enterprise storage, H3C converged Protect enterprise storage, H3C Flex storage enterprise storage. We plan to publish a new BIOS version before Apr. 2018.

 

l  Part of Business software productsADCAMADCARU-CenterAOMSOC

We plan to update the CentOS Linux kernel before Mar, 2018. New version number is to be confirmed.

 

l  Part of NFV productsVBRASSOVNFMNFVOVNF1000 series products

For VBRASSO and VNFM have been launched docking. It is adapting to solve the OS vulnerability. The updated version will be released once it is completed.

For NFVO products we will publish a new version shortly to fix it.

For VNF1000 series (VSR1000/VFW1000/VLB1000/VBRAS1000/VLNS1000) we plan to release a new version before Mar. 2018. Version number is to be confirmed.

 

l  SDNvSwitchSDN Controller and License Server

For vSwitch and License Server OS path update is required. The updated version will be released once fit success.

For VCFC (SDN Controller) we plan to publish a new version before Feb 2018. Version number is to be confirmed.

 

l  SDN WAN productsAD-WAN

Currently, we do have CentOS 6.6 and Ubuntu 14.4.4 LTS OS installed so the OS path update is required. The plan is suitable to solve the vulnerability operating system, and when the match is successful, the operating system version number that solves the vulnerability will be refreshed.  

 

l  Big Data software

An OS that is being matched to fix vulnerabilities, We plan to release a new version before mid Feb. 2018. Version number is to be confirmed.

 

l  Middle and low end router OAP single board

It depends on the OS. Recommended the customer to do an OS path update. 

 

Solution for HPE Products

Please refer to HPE public updates via below link:

https://h22208.www2.hpe.com/eginfolib/securityalerts/SCAM/Side_Channel_Analysis_Method.html

 

There are 4 status to state the current situation as below:

1.       Fixed

2.       Fix Under investigation

3.       Vulnerable - Fix Under Development

4.       Not Vulnerable – Product doesn’t allow arbitrary code execution

For all impacted HPE products you can get the solutions from website which HPE provided.

 

For any other concerns please reach our tech support: +0086 400 810 0504