Today, Intel disclosed a new set of speculative execution side channel vulnerabilities, collectively referred as “Microarchitectural Data Sampling” (MDS).  These vulnerabilities affect a number of Intel processors and have received four distinct CVE identifiers to reflect how they impact the different microarchitectural structures of the affected Intel processors:

• CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
• CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) 
• CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)
• CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)

While vulnerability CVE-2019-11091 has received a CVSS Base Score of 3.8, the other vulnerabilities have all been rated with a CVSS Base Score of 6.5.   As a result of the flaw in the architecture of these processors, an attacker who can execute malicious code locally on an affected system can compromise the confidentiality of data previously handled on the same thread or compromise the confidentiality of data from other hyperthreads on the same processor as the thread where the malicious code executes.  As a result, MDS vulnerabilities are not directly exploitable against servers that do not allow the execution of untrusted code.

These vulnerabilities are collectively referred as Microarchitectural Data Sampling issues (MDS issues) because they refer to issues related to microarchitectural structures of the Intel processors other than the level 1 data cache.  The affected microarchitectural structures in the affected Intel processors are the Data Sampling Uncacheable Memory (uncacheable memory on some microprocessors utilizing speculative execution), the store buffers (temporary buffers to hold store addresses and data), the fill buffers (temporary buffers between CPU caches), and the load ports (temporary buffers used when loading data into registers).  MDS issues are therefore distinct from the previously-disclosed Rogue Data Cache Load (RDCL) and L1 Terminal Fault (L1TF) issues.

Effectively mitigating these MDS vulnerabilities will require updates to Operating Systems and Virtualization software in addition to updated Intel CPU microcode. 

While Oracle has not yet received reports of successful exploitation of these issues “in the wild,” Oracle has worked with Intel and other industry partners to develop technical mitigations against these issues.

In response to these MDS issues:

Oracle Hardware:

• Oracle recommends that administrators of x86-based Systems carefully assess the impact of the MDS flaws for their systems and implement the appropriate security mitigations.  Oracle will provide specific guidance for Oracle Engineered Systems.
• Oracle has determined that Oracle SPARC servers are not affected by these MDS vulnerabilities.

Oracle Operating Systems (Linux and Solaris) and Virtualization:

• Oracle has released security patches for Oracle Linux 7, Oracle Linux 6 and Oracle VM Server for X86 products.  In addition to OS patches, customers should run the current version of the Intel microcode to mitigate these issues. In certain instances, Oracle Linux customers can take advantage of Oracle Ksplice to apply these updates without needing to reboot their systems.
• Oracle has determined that Oracle Solaris on x86 is affected by these vulnerabilities.  Customers should refer to Doc ID 2540522.1 for additional information.
• Oracle has determined that Oracle Solaris on SPARC is not affected by these MDS vulnerabilities.

Oracle Cloud:

• The Oracle Cloud Security and DevOps teams continue to work in collaboration with our industry partners on implementing mitigations for these MDS vulnerabilities that are designed to protect customer instances and data across all Oracle Cloud offerings: Oracle Cloud (IaaS, PaaS, SaaS), Oracle NetSuite, Oracle GBU Cloud Services, Oracle Data Cloud, and Oracle Managed Cloud Services. 
• Oracle will inform Cloud customers using the normal maintenance notification mechanisms about required maintenance activities as additional mitigating controls continue to be implemented in response to the MDS vulnerabilities.
• Oracle has determined that the MDS vulnerabilities will not impact a number of Oracle's cloud services.  They include Autonomous Data Warehouse service, which provides a fully managed database optimized for running data warehouse workloads, and Oracle Autonomous Transaction Processing service, which provides a fully managed database service optimized for running online transaction processing and mixed database workloads.  No further action is required by customers of these services as both were found to require no additional mitigating controls based on service design to prevent the exploitation of the MDS vulnerabilities.  
• Bare metal instances in Oracle Cloud Infrastructure (OCI) Compute offer full control of a physical server and require no additional Oracle code to run.  By design, the bare metal instances are isolated from other customer instances on the OCI network whether they be virtual machines or bare metal.  However, for customers running their own virtualization stack on bare metal instances, the MDS vulnerability could allow a virtual machine to access privileged information from the underlying hypervisor or other VMs on the same bare metal instance.  These customers should review the Intel recommendations about these MDS vulnerabilities and make the recommended changes to their configurations.

As previously anticipated, we continue to expect that new techniques leveraging speculative execution flaws in processors will continue to be disclosed.  These issues are likely to continue to impact primarily operating systems and virtualization platforms and addressing these issues will likely continue to require software update and microcode update.  Oracle therefore recommends that customers remain on current security release levels, including firmware, and applicable microcode updates (delivered as Firmware or OS patches), as well as software upgrades.

For more information:

Oracle Linux customers can refer to the bulletins located at https://linux.oracle.com/cve/CVE-2019-11091.html, https://linux.oracle.com/cve/CVE-2018-12126.html, https://linux.oracle.com/cve/CVE-2018-12130.html, https://linux.oracle.com/cve/CVE-2018-12127.html

For information about the availability of Intel microcode for Oracle hardware, see Intel MDS vulnerabilities (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127: Intel Processor Microcode Availability  (Doc ID 2540621.1)

Oracle Solaris customers should refer to Intel MDS Vulnerabilities (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127): Oracle Solaris Impact (Doc ID 2540522.1)

Oracle Cloud Infrastructure (OCI) customers should refer to https://docs.cloud.oracle.com/iaas/Content/Security/Reference/MDS_response.htm 

Oracle has just released Security Alert CVE-2019-2725.  This Security Alert was released in response to a recently-disclosed vulnerability affecting Oracle WebLogic Server.  This vulnerability affects a number of versions of Oracle WebLogic Server and has received a CVSS Base Score of 9.8.  WebLogic Server customers should refer to the Security Alert Advisory for information on affected versions and how to obtain the required patches. 

Please note that vulnerability CVE-2019-2725 has been associated in press reports with vulnerabilities CVE-2018-2628, CVE-2018-2893, and CVE-2017-10271.  These vulnerabilities were addressed in patches released in previous Critical Patch Update releases.

Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible.

For more information:

The Security Alert advisory is located at  https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html 

The October 2017 Critical Patch Update advisory is located at https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html

The April 2018 Critical Patch Update advisory is located at https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

The July 2018 Critical patch Update advisory is located at https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html