IBM Addresses Reported Intel Security Vulnerabilities

Share this post:

In May 2019, Microarchitectural Data Sampling (MDS) side channel attack variants were disclosed (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091). These security vulnerabilities made public by Intel have the potential to allow an attacker running code on the same physical CPU to read other data being processed by that CPU. There are no known exploits at this time. IBM takes security threats seriously and has deployed measures to protect our clients from exploitation of these vulnerabilities.

Cloud Host Analysis
The reported security vulnerabilities in the Intel microprocessor may alter the risk profile of using hyperthreads with general compute workloads, with particular impact on virtualized environments.

Cloud Host Mitigations
IBM has applied new microcode from Intel to all impacted servers in the cloud. We also have disabled usage of hyperthreads on all servers that are hosting public virtual servers. Because of the nature of dedicated and private large virtual servers, we have not disabled the usage of hyperthreads on those few servers and are working with the respective customers to determine if they want us to disable them. IBM has the required tooling to disable usage of hyperthreads on demand.

Recommended IBM Cloud Client Action
No client action is necessary for IBM Cloud virtual servers. IBM Cloud has applied mitigations to our VSI cloud hosts worldwide to mitigate the risk to our virtual server clients. While we do not anticipate any issues with the mitigation strategies, we always recommend that clients have a tested backup strategy for IBM Cloud virtual servers. Customers using bare metal systems should follow mitigations recommended by their OS vendor and Intel. IBM has the required tooling to assist customers.

Systems Analysis
The vulnerabilities do not impact IBM POWER processor architectures or associated microcode. These vulnerabilities are present in many microprocessors, such as processors used by IBM Storage Appliances and IBM Storage Spectrum software running on servers, including IBM Elastic Storage Server systems. To exploit any of these vulnerabilities, an attacker must be able to run malicious code on an affected system. IBM Storage Appliances are not believed to be significantly impacted by these vulnerabilities because, unlike general purpose computing systems, they are closed systems and are designed to prevent users from loading or executing code other than code provided by IBM.

Systems Mitigation
No actions are required concerning IBM POWER processor architectures and associated microcode. IBM Systems will provide patches for any Intel based or supported infrastructure, as required. Should any patches be required they will be made available via our normal customer portals. Per our business as usual process, all information for IBM Z clients can be found at the IBM Z Security Portal. While IBM Storage Appliances are not believed to be significantly impacted — out of an abundance of caution — IBM is evaluating firmware updates provided by server and OS vendors. IBM Storage Spectrum software running on x86 servers must follow the guidelines established by server and OS vendors.

Recommended Systems Customer Action
IBM Storage Spectrum software products can be deployed on customer-provided infrastructure and IBM recommends that all customers apply patches from their supply chain as soon as those become available.

GBS and GTS are assessing infrastructure used to deliver service to clients and will apply patches and remediation efforts as information is available from the various vendors.

More Uncategorized stories

Security Bulletin: OpenSSL for IBM i is affected by CVE-2021-3711 and CVE-2021-3712

Sep 24, 2021 8:00 pm EDT | Critical Severity

OpenSSL is provided as an API available to application developers on IBM i. The OpenSSL APIs on IBM i are vulnerable to the issues described in the vulnerability details section. The applicability of each vulnerability is determined by an application's specific use of OpenSSL. IBM i has addressed the vulnerability for applications by addressing the CVEs in the OpenSSL API implementation. more

Security Bulletin: CVE-2021-2341 may affect IBM® SDK, Java™ Technology Edition

Sep 24, 2021 8:00 pm EDT | Low Severity

CVE-2021-2341 was disclosed as part of the Oracle July 2021 Critical Patch Update. more

Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities

Sep 24, 2021 8:00 pm EDT | High Severity

The Planning Analytics Workspace component of IBM Planning Analytics is affected by vulnerabilities These have been addressed in IBM Planning Analytics Local v2.0 - Planning Analytics Workspace Release 68. more