H3C Technical Solution Bulletin for Microprocessor Security Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) For Hong Kong,China

Release time: OCT 8, 2018

Background

Microprocessor manufacturers have recently revealed the existence of some serious security vulnerabilities resulting from an underlying design flaw, which can impact all mainstream microprocessor products. The vulnerability numbers are Meltdown (CVE-2017-5754), Spectre (CVE-2017-5753 and CVE-2017-5715).

Impact

These vulnerabilities can potentially lead to disclosure of information and privilege escalation.

H3C's Products

H3C's R&D team investigated H3C products immediately after public disclosure of the vulnerabilities.

We determined that the products below fall within the impact scope:

· CAS

· Cloud desktop, Cloud class series products

· H3CloudOS

· Distributed Storage

· H3C Server products

· Some Business software products(ADCAM,ADCAR,U-Center,AOM,SOC)

· Some NFV products(VBRASSO,VNFM,NFVO,VNF1000 series products)

· SDN(vSwitch,SDN Controller and License Server)

· SDN WAN products(AD-WAN)

· Big Data software

· Middle and low-end router OAP single board

· VCX(End of support on Dec 2017)

We have confirmed that the products below are not impacted:

A. The Comware-based platform products below are not impacted:

· Park core switch products

· Data center switch products

· Park access switches

· Security products

· Wireless products

· High-end routers

· Middle and low end router products

· Core router products

· VNF2000 series products (VSR/VBRAS/vFW/vLB/vAC/vLNS)

B. The Non-Comware-based products below are not impacted:

· Some business software products (IMC, ADDC)

· Intelligent Terminals

C. Comware platform software:

· ComwareV5 kernels are not affected by these vulnerabilities.

· Products running the ComwareV7 platform are not affected by these vulnerabilities.

HPE Products

HPE has confirmed that the following products are affected:

· HPE ProLiant ML30 Gen9 Server, HPE ProLiant DL20 Gen9 Server, HPE Synergy 480 Gen9 Compute Module, HPE Synergy 660 Gen9 Compute Module, HPE ProLiant m710x Server Cartridge, HPE ProLiant XL270d Gen9 Special Server, HPE ProLiant MicroServer Gen10, HPE ProLiant DL360 Gen10 Server, HPE ProLiant BL460c Gen10 Server Blade, HPE Synergy 660 Gen10 Compute Module, HPE Synergy 480 Gen10 Configure-to-order Compute Module, HPE ProLiant DL380 Gen10 Server, HPE ProLiant DL560 Gen10 Server, HPE ProLiant XL230k Gen10 Server, HPE ProLiant XL170r Gen10 Server, HPE ProLiant XL190r Gen10 Server, HPE Apollo 2000 System, HPE ProLiant DL120 Gen10 Server, HPE ProLiant DL160 Gen10 Server, HPE ProLiant DL180 Gen10 Server, HPE ProLiant DL580 Gen10 Server, HPE ProLiant ML110 Gen10 Server, HPE ProLiant ML350 Gen10 Server, HPE Apollo 4510 System, HPE ProLiant XL450 Gen10 Server, HPE ProLiant DL385 Gen10 Server, HPE Apollo 6000 DLC System, HPE ProLiant DL320e Gen8 v2 Server, HPE ProLiant DL320e Gen8 v2 Server, HPE ProLiant ML310e Gen8 v2 Server, HP ProLiant XL220a Gen8 v2 Server, HPE ProLiant DL160 Gen9 Server, HPE ProLiant DL180 Gen9 Server, HPE ProLiant DL360 Gen9 Server, HPE ProLiant BL460c Gen9 Server Blade, HPE ProLiant DL380 Gen9 Server, HPE ProLiant ML350 Gen9 Server, HP ProLiant BL460c Gen9 Server Blade, HPE ProLiant XL230a Gen9 Server, HPE ProLiant DL120 Gen9 Server, HPE ProLiant ML150 Gen9 Server, HPE ProLiant DL60 Gen9 Server, HPE ProLiant DL80 Gen9 Server, HPE ProLiant DL160 Gen9 Special Server, HPE ProLiant ML10 v2 Server, HPE ProLiant ML110 Gen9 Server, HPE ProLiant XL170r Gen9 Server, HPE ProLiant WS460c Gen9 Workstation, HPE ProLiant DL580 Gen9 Server, HP ProLiant DL580 Gen9 Server, HP ProLiant BL660c Gen9 Server, HPE ProLiant DL560 Gen9 Server, HPE ProLiant XL450 Gen9 Server, HPE ProLiant m710p Server Cartridge

· ProLiant ML10 Gen8 server, ProLiant ML310e Gen8 server, ProLiant Microserver Gen8, ProLiant XL260a Gen9 server, HPE Synergy 620 Gen9 node, HPE Synergy 480 Gen9 node, ProLiant Thin Micro TM200, ProLiant m510 server, ProLiant m300 server, ProLiant m350 server, ProLiant DL160 Gen8, ProLiant DL320e Gen8, ProLiant DL360e Gen8, ProLiant DL360p Gen8, ProLiant DL380e Gen8, ProLiant DL380p Gen8, ProLiant DL560 Gen8, ProLiant DL580 Gen8, ProLiant ML350e Gen8, ProLiant ML350p Gen8, ProLiant SL230s Gen8, ProLiant SL250s Gen8, ProLiant SL270s Gen8, ProLiant BL420c Gen8, ProLiant BL460c Gen8, ProLiant BL660c Gen8, ProLiant SL210t Gen8

· Three BCS Integrity servers using Intel Xeon CPUs: Integrity MC990x, Integrity Superdome X, Superdome Flex. The corresponding SAP HANA solution products are thus also affected: HPE ConvergedSystem 900 for SAP HANA Scale-up configurations (Intel Haswell architecture), HPE Superdome X Scale-up / Scale-out TDI configurations (Intel Haswell architecture), HPE Integrity MC990 X TDI Compute Block with the Intel Xeon E7-88XXv4

· All HPE hyperconverged systems: HC250 and SimpliVity 380: HPE SimpliVity 380 Gen9 Nodes, HPE SimpliVity 380 Gen10 Nodes, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for DELL, SimpliVity OmniStack for Lenovo, HPE Hyper Converged 250 for VMware vSphere, HPE Hyper Converged 250 for Microsoft Cloud Platform System Standard, Hyper Converged 380

· File controller servers: 3PAR StoreServ File Controller v3, StoreVirtual 3000 File Controller

· Non-Stop servers: HPE Integrity Nonstop X CPUs (x86), HPE NonStop System Consoles, HPE Integrity Nonstop X CPUs (x86), HPE Integrity Nonstop X CPUs (x86).

· NAS storage products: StoreEasy 1450, StoreEasy 1550, StoreEasy 1650, StoreEasy 1650E, StoreEasy 1850, StoreEasy 3850.

HPE has confirmed that these products fall within the vulnerability impact scope, but do not pose as security risk:

· Enterprise Storage Products:Nimble Storage, 3PAR StoreServ 7xxx,3PAR StoreServ 8xxx,3PAR StoreServ 9xxx,3PAR StoreServ 10xxx,3PAR StoreServ 20xxx,3PAR StoreServ Service Processor DL120 G8,3PAR StoreServ Service Processor DL320e G8,3PAR StoreServ Service Processor DL120 G9 v3,3PAR StoreServ Service Processor DL120 G9 v4,3PAR StoreServ Service Processor DL360e G8,XP7 Gen1 and Gen2 SVP & MP,StoreOnce 3100,StoreOnce 3520,StoreOnce 3540,StoreOnce 5100,StoreOnce 5500,StoreOnce 6600,StoreOnce 2700 capacity upgrades only,StoreOnce 2900 capacity upgrades only,StoreOnce 4500 capacity upgrades only,StoreOnce 4700 capacity upgrades only,StoreOnce 4900 capacity upgrades only,StoreOnce 6500 capacity upgrades only,StoreOnce D2D2502i,StoreOnce D2D2504i,StoreOnce D2D4106i,StoreOnce D2D4106fc,StoreOnce D2D4112,StoreOnce D2D4312,StoreOnce D2D4324,StoreOnce 2620 iSCSI,StoreOnce 4210 iSCSI,StoreOnce 4220,StoreOnce 4420,StoreOnce 4430,StoreOnce B6200,MSA 1040,MSA 2040,MSA 2042,MSA 1050,MSA 2050,MSA 2052,MSA P2000 G3,StoreVirtual 3200,StoreVirtual 4130,StoreVirtual 4330,StoreVirtual 4330 FC,StoreVirtual 4335,StoreVirtual 4530,StoreVirtual 4730,StoreVirtual 4730 FC,StoreVirtual 4630,XP P9500 SVP & MP,XP24000/20000 & MP

HPE has determined that the following products do not fall within the impact scope of the vulnerability:

· Since the Intel Itanium CPU is not impacted by these vulnerabilities, these servers are not affected:HPE Integrity BL860c,BL870c, BL890c i2,HPE Integrity BL860c, BL870c, BL890c i4,HPE Integrity BL860c,BL870c, BL890c i6,HPE Integrity rx2800 i6,HPE Integrity rx2800 i4,HPE Integrity rx2800 i2,HPE Integrity BL860c,HPE Integrity BL870c,HPE Integrity rx6600/rx3600,HPE Integrity rx2660,HPE 9000 Superdome sx1000/sx2000,HPE Integrity NonStop i CPUs (Itanium),HP Integrity Superdome 2 CB900s i6, i4 & i2 Server

【Solution for H3C's Products】

Product Name

Affected Version

Resolved Product and Version

12500 (V7)

All

TBC Before Oct 29,2018

10500(V7)_R71xx

All

TBC Before Oct 29,2018

6125XLG Blade Switch

All

TBC Before Sep 30,2018

5900/5920(V7)

All

TBC Before Sep 30,2018

MSR1000/2000/3000/4000(V7)

All

TBC

VSR

All

TBC

7900

All

Upgrade to

R2712

5130EI

All

Upgrade to

R3208P08

5700(V7)

All

TBC Before Sep 30,2018

5930(V7)

All

TBC Before Sep 30,2018

HSR6600/HSR6800

All

TBC

6127XLG Blade Switch

All

TBC Before Sep 30,2018

1950

All

TBC

7500(V7)_R71xx

All

TBC

5130HI

All

TBC

5510HI

All

TBC

Moonshoot

All

TBC Before Sep 30,2018

5940

All

TBC Before Oct 31,2018

5950

All

TBC

12900E

All

Upgrade to

R2712

MSR95X/MSR1000/2000/3000/4000(V7)

All

TBC

10500(V7)_R75xx

All

TBC

7500(V7)_R75xx

All

TBC

M9K(Only domestic)

All

TBC

F10X0(Only domestic)

All

TBC

F50X0(Only domestic)

All

TBC

L1K(Only domestic)

All

TBC

L5K(Only domestic)

All

TBC

T1K(Only domestic)

All

TBC

T5K(Only domestic)

All

TBC

BladeADE(Only domestic)

All

TBC

Blade NGFW(Only domestic)

All

TBC

M9K(B64) (Only domestic)

All

TBC

LA3616(Only domestic)

All

TBC

RA10X/100/200(Only domestic)

All

TBC

Wireless AC/AP

All

TBC Before Sep 30,2018

APOLLO Blade Switch

All

TBC Before Sep 30,2018

HSR6600/HSR6800

All

TBC

5980

All

Upgrade to

R2712

CR19000/CR16000-X

All

TBC

5130HI/5510HI

All

TBC

iMC PLAT

All

TBC

vBRAS(Only domestic)

All

TBC

vFW(Only domestic)

All

TBC

vLB(Only domestic)

All

TBC

vAC(Only domestic)

All

TBC

vLNS(Only domestic)

All

TBC

NASS torage-H3C X10000

All

TBC Before Oct 30,2018

Block Storage -H3C ONEStor

All

TBC Before Oct 30,2018

SecPath AFC DDoS Device

All

TBC

SecPath Web Monitoring Center

All

TBC

H3Cloud CMP

All

TBC

Since details of the microprocessor vulnerabilities were released, H3C's R&D team has conducted follow-up, analysis and research on the vulnerabilities, and confirmed that they can be effectively fixed by version upgrades. H3C's R&D team is currently conducting functional and performance laboratory testing of the patched software, and will keep up to date with the latest information on microprocessor security vulnerabilities, providing comprehensive security assurance for H3C's products.

CAS

For the E0306 series, the latest update version E0306H19 was published Jan, 15th 2018

For the E050X series, the next update version will be published Jan, 29th2019, version number to be confirmed.

Cloud desktop, Cloud class series products

We will post update versions shortly, version numbers to be confirmed

H3CloudOS

The newest version will be posted before Mid Jan 2018. The version number is to be confirmed.

Distributed Storage

H3C UniStor X10000 the newest update version will be published before Mar 2018. Version number is to be confirmed.

H3C ONEStor2.0/1.0 Separation Deployment involves the OS, version 2.0 to be published before Mar 2018 will fix the issue. Version number is to be confirmed.

H3C Server products

For R4900/R390X G2 products, we plan to publish a new BIOS version before Apr 2018.

For R4900/R4700/R2900/R2700 G3 products, we plan to publish a new BIOS version before Apr 2018.

For H3C Flex server, H3C UIS G2 server, H3C Converged Fabric enterprise storage, H3C Converged Protection enterprise storage, H3C Flex storage enterprise storage. We plan to publish a new BIOS version before Apr 2018.

Part of Business software productsADCAMADCARU-CenterAOMSOC

We plan to update the CentOS Linux kernel before Mar 2018. New version number is to be confirmed.

Part of NFV productsVBRASSOVNFMNFVOVNF1000 series products

For VBRASSO and VNFM have been launched docking. It is adapting to solve the OS vulnerability. The updated version will be released once it is completed.

For NFVO products we will publish a new version shortly, fixing the vulnerabilities.

For VNF1000 series (VSR1000/VFW1000/VLB1000/VBRAS1000/VLNS1000) we plan to release a new version before Mar 2018. Version number is to be confirmed.

SDNvSwitchSDN Controller and License Server

For vSwitch and License Server, an OS update is required. The updated version will be released once fit for production use

For VCFC (SDN Controller) we plan to publish a new version before Feb 2018. Version number is to be confirmed.

SDN WAN productsAD-WAN

These currently have CentOS 6.6 and Ubuntu 14.4.4 LTS OS installed, so OS updates are required. This resolves the operating system vulnerabilities, and when the match is successful, they will be updated to operating system version that solves the vulnerability.

Big Data software

An OS version is being patched to fix vulnerabilities, and we plan to release a new version before Mid Feb 2018. Version number is to be confirmed.

Middle and low-end router OAP single board

It depends on the OS. We recommend that customers perform OS updates.

Solution for HPE Products

Please refer to HPE public updates via link below:

https://h22208.www2.hpe.com/eginfolib/securityalerts/SCAM/Side_Channel_Analysis_Method.html

The current situation falls into 4 status categories, as below:

1. Fixed

2. Fix Under investigation

3. Vulnerable - Fix Under Development

4. Not Vulnerable – Product doesn't allow arbitrary code execution

For all impacted HPE products, customers can obtain any HPE-provided solutions from the website above.

For any other concerns please contact our tech support: +0086 400 810 0504