New H3C Technical Solution Bulletin for Microprocessor Security Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

2018-05-28

Background

Microprocessor manufacturers have recently revealed the existence of some serious security vulnerabilities resulting from an underlying design flaw, which can impact all mainstream microprocessor products. The vulnerability numbers are Meltdown (CVE-2017-5754), Spectre (CVE-2017-5753 and CVE-2017-5715).

Impact

These vulnerabilities can potentially lead to disclosure of information and privilege escalation.

New H3C's Products

New H3C's R&D team investigated New H3C products immediately after public disclosure of the vulnerabilities.

We determined that the products below fall within the impact scope:

· CAS

· Cloud desktop, Cloud class series products

· New H3CloudOS

· Distributed Storage

· New H3C Server products

· Some Business software products(ADCAM,ADCAR,U-Center,AOM,SOC)

· Some NFV products(VBRASSO,VNFM,NFVO,VNF1000 series products)

· SDN(vSwitch,SDN Controller and License Server)

· SDN WAN products(AD-WAN)

· Big Data software

· Middle and low-end router OAP single board

· VCX(End of support on Dec 2017)

We have confirmed that the products below are not impacted:

A. The Comware-based platform products below are not impacted:

· Park core switch products

· Data center switch products

· Park access switches

· Security products

· Wireless products

· High-end routers

· Middle and low end router products

· Core router products

· VNF2000 series products (VSR/VBRAS/vFW/vLB/vAC/vLNS)

B. The Non-Comware-based products below are not impacted:

· Some business software products (IMC, ADDC)

· Intelligent Terminals

C. Comware platform software:

· ComwareV5 kernels are not affected by these vulnerabilities.

· Products running the ComwareV7 platform are not affected by these vulnerabilities.

HPE Products

HPE has confirmed that the following products are affected:

· HPE ProLiant ML30 Gen9 Server, HPE ProLiant DL20 Gen9 Server, HPE Synergy 480 Gen9 Compute Module, HPE Synergy 660 Gen9 Compute Module, HPE ProLiant m710x Server Cartridge, HPE ProLiant XL270d Gen9 Special Server, HPE ProLiant MicroServer Gen10, HPE ProLiant DL360 Gen10 Server, HPE ProLiant BL460c Gen10 Server Blade, HPE Synergy 660 Gen10 Compute Module, HPE Synergy 480 Gen10 Configure-to-order Compute Module, HPE ProLiant DL380 Gen10 Server, HPE ProLiant DL560 Gen10 Server, HPE ProLiant XL230k Gen10 Server, HPE ProLiant XL170r Gen10 Server, HPE ProLiant XL190r Gen10 Server, HPE Apollo 2000 System, HPE ProLiant DL120 Gen10 Server, HPE ProLiant DL160 Gen10 Server, HPE ProLiant DL180 Gen10 Server, HPE ProLiant DL580 Gen10 Server, HPE ProLiant ML110 Gen10 Server, HPE ProLiant ML350 Gen10 Server, HPE Apollo 4510 System, HPE ProLiant XL450 Gen10 Server, HPE ProLiant DL385 Gen10 Server, HPE Apollo 6000 DLC System, HPE ProLiant DL320e Gen8 v2 Server, HPE ProLiant DL320e Gen8 v2 Server, HPE ProLiant ML310e Gen8 v2 Server, HP ProLiant XL220a Gen8 v2 Server, HPE ProLiant DL160 Gen9 Server, HPE ProLiant DL180 Gen9 Server, HPE ProLiant DL360 Gen9 Server, HPE ProLiant BL460c Gen9 Server Blade, HPE ProLiant DL380 Gen9 Server, HPE ProLiant ML350 Gen9 Server, HP ProLiant BL460c Gen9 Server Blade, HPE ProLiant XL230a Gen9 Server, HPE ProLiant DL120 Gen9 Server, HPE ProLiant ML150 Gen9 Server, HPE ProLiant DL60 Gen9 Server, HPE ProLiant DL80 Gen9 Server, HPE ProLiant DL160 Gen9 Special Server, HPE ProLiant ML10 v2 Server, HPE ProLiant ML110 Gen9 Server, HPE ProLiant XL170r Gen9 Server, HPE ProLiant WS460c Gen9 Workstation, HPE ProLiant DL580 Gen9 Server, HP ProLiant DL580 Gen9 Server, HP ProLiant BL660c Gen9 Server, HPE ProLiant DL560 Gen9 Server, HPE ProLiant XL450 Gen9 Server, HPE ProLiant m710p Server Cartridge

· ProLiant ML10 Gen8 server, ProLiant ML310e Gen8 server, ProLiant Microserver Gen8, ProLiant XL260a Gen9 server, HPE Synergy 620 Gen9 node, HPE Synergy 480 Gen9 node, ProLiant Thin Micro TM200, ProLiant m510 server, ProLiant m300 server, ProLiant m350 server, ProLiant DL160 Gen8, ProLiant DL320e Gen8, ProLiant DL360e Gen8, ProLiant DL360p Gen8, ProLiant DL380e Gen8, ProLiant DL380p Gen8, ProLiant DL560 Gen8, ProLiant DL580 Gen8, ProLiant ML350e Gen8, ProLiant ML350p Gen8, ProLiant SL230s Gen8, ProLiant SL250s Gen8, ProLiant SL270s Gen8, ProLiant BL420c Gen8, ProLiant BL460c Gen8, ProLiant BL660c Gen8, ProLiant SL210t Gen8

· Three BCS Integrity servers using Intel Xeon CPUs: Integrity MC990x, Integrity Superdome X, Superdome Flex. The corresponding SAP HANA solution products are thus also affected: HPE ConvergedSystem 900 for SAP HANA Scale-up configurations (Intel Haswell architecture), HPE Superdome X Scale-up / Scale-out TDI configurations (Intel Haswell architecture), HPE Integrity MC990 X TDI Compute Block with the Intel Xeon E7-88XXv4

· All HPE hyperconverged systems: HC250 and SimpliVity 380: HPE SimpliVity 380 Gen9 Nodes, HPE SimpliVity 380 Gen10 Nodes, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for DELL, SimpliVity OmniStack for Lenovo, HPE Hyper Converged 250 for VMware vSphere, HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard, Hyper Converged 380

· File controller servers: 3PAR StoreServ File Controller v3, StoreVirtual 3000 File Controller

· Non-Stop servers: HPE Integrity Nonstop X CPUs (x86), HPE NonStop System Consoles, HPE Integrity Nonstop X CPUs (x86), HPE Integrity Nonstop X CPUs (x86).

· NAS storage products: StoreEasy 1450, StoreEasy 1550, StoreEasy 1650, StoreEasy 1650E, StoreEasy 1850, StoreEasy 3850.

HPE has confirmed that these products fall within the vulnerability impact scope, but do not pose as security risk:

· Enterprise Storage Products:Nimble Storage, 3PAR StoreServ 7xxx,3PAR StoreServ 8xxx,3PAR StoreServ 9xxx,3PAR StoreServ 10xxx,3PAR StoreServ 20xxx,3PAR StoreServ Service Processor DL120 G8,3PAR StoreServ Service Processor DL320e G8,3PAR StoreServ Service Processor DL120 G9 v3,3PAR StoreServ Service Processor DL120 G9 v4,3PAR StoreServ Service Processor DL360e G8,XP7 Gen1 and Gen2 SVP & MP,StoreOnce 3100,StoreOnce 3520,StoreOnce 3540,StoreOnce 5100,StoreOnce 5500,StoreOnce 6600,StoreOnce 2700 capacity upgrades only,StoreOnce 2900 capacity upgrades only,StoreOnce 4500 capacity upgrades only,StoreOnce 4700 capacity upgrades only,StoreOnce 4900 capacity upgrades only,StoreOnce 6500 capacity upgrades only,StoreOnce D2D2502i,StoreOnce D2D2504i,StoreOnce D2D4106i,StoreOnce D2D4106fc,StoreOnce D2D4112,StoreOnce D2D4312,StoreOnce D2D4324,StoreOnce 2620 iSCSI,StoreOnce 4210 iSCSI,StoreOnce 4220,StoreOnce 4420,StoreOnce 4430,StoreOnce B6200,MSA 1040,MSA 2040,MSA 2042,MSA 1050,MSA 2050,MSA 2052,MSA P2000 G3,StoreVirtual 3200,StoreVirtual 4130,StoreVirtual 4330,StoreVirtual 4330 FC,StoreVirtual 4335,StoreVirtual 4530,StoreVirtual 4730,StoreVirtual 4730 FC,StoreVirtual 4630,XP P9500 SVP & MP,XP24000/20000 & MP

HPE has determined that the following products do not fall within the impact scope of the vulnerability:

· Since the Intel Itanium CPU is not impacted by these vulnerabilities, these servers are not affected:HPE Integrity BL860c,BL870c, BL890c i2,HPE Integrity BL860c, BL870c, BL890c i4,HPE Integrity BL860c,BL870c, BL890c i6,HPE Integrity rx2800 i6,HPE Integrity rx2800 i4,HPE Integrity rx2800 i2,HPE Integrity BL860c,HPE Integrity BL870c,HPE Integrity rx6600/rx3600,HPE Integrity rx2660,HPE 9000 Superdome sx1000/sx2000,HPE Integrity NonStop i CPUs (Itanium),HP Integrity Superdome 2 CB900s i6, i4 & i2 Server

【Solution for New H3C's Products】

Since details of the microprocessor vulnerabilities were released, New H3C's R&D team has conducted follow-up, analysis and research on the vulnerabilities, and confirmed that they can be effectively fixed by version upgrades. New H3C's R&D team is currently conducting functional and performance laboratory testing of the patched software, and will keep up to date with the latest information on microprocessor security vulnerabilities, providing comprehensive security assurance for New H3C's products.

CAS

For the E0306 series, the latest update version E0306H19 was published Jan, 15th 2018

For the E050X series, the next update version will be published Jan, 29th2019, version number to be confirmed.

Cloud desktop, Cloud class series products

We will post update versions shortly, version numbers to be confirmed

New H3CloudOS

The newest version will be posted before Mid Jan 2018. The version number is to be confirmed.

Distributed Storage

New H3C UniStor X10000 the newest update version will be published before Mar 2018. Version number is to be confirmed.

New H3C ONEStor2.0/1.0 Separation Deployment involves the OS, version 2.0 to be published before Mar 2018 will fix the issue. Version number is to be confirmed.

New H3C Server products

For R4900/R390X G2 products, we plan to publish a new BIOS version before Apr 2018.

For R4900/R4700/R2900/R2700 G3 products, we plan to publish a new BIOS version before Apr 2018.

For New H3C Flex server, New H3C UIS G2 server, New H3C Converged Fabric enterprise storage, New H3C Converged Protection enterprise storage, New H3C Flex storage enterprise storage. We plan to publish a new BIOS version before Apr 2018.

Part of Business software productsADCAMADCARU-CenterAOMSOC

We plan to update the CentOS Linux kernel before Mar 2018. New version number is to be confirmed.

Part of NFV productsVBRASSOVNFMNFVOVNF1000 series products

For VBRASSO and VNFM have been launched docking. It is adapting to solve the OS vulnerability. The updated version will be released once it is completed.

For NFVO products we will publish a new version shortly, fixing the vulnerabilities.

For VNF1000 series (VSR1000/VFW1000/VLB1000/VBRAS1000/VLNS1000) we plan to release a new version before Mar 2018. Version number is to be confirmed.

SDNvSwitchSDN Controller and License Server

For vSwitch and License Server, an OS update is required. The updated version will be released once fit for production use

For VCFC (SDN Controller) we plan to publish a new version before Feb 2018. Version number is to be confirmed.

SDN WAN productsAD-WAN

These currently have CentOS 6.6 and Ubuntu 14.4.4 LTS OS installed, so OS updates are required. This resolves the operating system vulnerabilities, and when the match is successful, they will be updated to operating system version that solves the vulnerability.

Big Data software

An OS version is being patched to fix vulnerabilities, and we plan to release a new version before Mid Feb 2018. Version number is to be confirmed.

Middle and low-end router OAP single board

It depends on the OS. We recommend that customers perform OS updates.

Solution for HPE Products

Please refer to HPE public updates via link below:

https://h22208.www2.hpe.com/eginfolib/securityalerts/SCAM/Side_Channel_Analysis_Method.html

The current situation falls into 4 status categories, as below:

1. Fixed

2. Fix Under investigation

3. Vulnerable - Fix Under Development

4. Not Vulnerable – Product doesn't allow arbitrary code execution

For all impacted HPE products, customers can obtain any HPE-provided solutions from the website above.

For any other concerns please contact our tech support: +0086 400 810 0504