Oracle Cloud Security Response to Intel Microarchitectural Data Sampling (MDS) Vulnerabilities
Intel disclosed four speculative execution side-channel processor vulnerabilities affecting Intel processors. These vulnerabilities have received the following CVE identifiers:
CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)
CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)
For more information, see https://blogs.oracle.com/security/intelmds.
Oracle Cloud Infrastructure
Oracle has deployed technical mitigations across Oracle Cloud Infrastructure systems designed to prevent a malicious attacker’s virtual machine (VM) instance from accessing data from other VM instances.
However, if you manage your own operating systems (OS), you are advised to keep up with OS security patches to address this vulnerability.
The following sections contain the details of mitigations and actions.
Oracle Cloud Infrastructure Compute
For details and required actions related to the Compute service's VM and bare metal instances, see Oracle Cloud Infrastructure Customer Advisory for MDS Impact on the Compute Service.
Oracle Cloud Infrastructure Database
If you use Autonomous Data Warehouse and Autonomous Transaction Processing, you have no further action to take.
For details and required actions related to offerings for VM DB systems, bare metal DB systems, and Exadata DB systems, see Oracle Cloud Infrastructure Customer Advisory for MDS Impact on the Database Service.
Oracle Cloud Infrastructure Container Engine for Kubernetes
To help secure your existing worker nodes for the Oracle Cloud Infrastructure Container Engine for Kubernetes, Oracle recommends replacing your current node pools with new node pools. Follow the instructions described in Upgrading the Kubernetes Version on Worker Nodes in a Cluster. All worker nodes created or upgraded after May 14, 2019 are not impacted by this security issue.
Other Oracle Cloud Infrastructure Services
Technical mitigations designed to protect all other Oracle Cloud Infrastructure services against the MDS processor vulnerabilities have been deployed. Oracle notified customers if other maintenance activities were required.
Oracle Cloud Infrastructure Classic and Oracle Platform Service on Oracle Cloud Infrastructure Classic
For more information see Oracle Cloud Infrastructure Classic.
In response to the MDS processor vulnerabilities, Oracle is performing mandatory maintenance for Infrastructure and Platform Services on Oracle Cloud Infrastructure Classic.
Platform Service hosts managed by Oracle are being patched by Oracle. If you manage your own operating systems, you are advised to keep up with the appropriate OS security patches to address these vulnerabilities.