Share this post:
In May 2019, Microarchitectural Data Sampling (MDS) side channel attack variants were disclosed (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091). These security vulnerabilities made public by Intel have the potential to allow an attacker running code on the same physical CPU to read other data being processed by that CPU. There are no known exploits at this time. IBM takes security threats seriously and has deployed measures to protect our clients from exploitation of these vulnerabilities.
Cloud Host Analysis
The reported security vulnerabilities in the Intel microprocessor may alter the risk profile of using hyperthreads with general compute workloads, with particular impact on virtualized environments.
Cloud Host Mitigations
IBM has applied new microcode from Intel to all impacted servers in the cloud. We also have disabled usage of hyperthreads on all servers that are hosting public virtual servers. Because of the nature of dedicated and private large virtual servers, we have not disabled the usage of hyperthreads on those few servers and are working with the respective customers to determine if they want us to disable them. IBM has the required tooling to disable usage of hyperthreads on demand.
Recommended IBM Cloud Client Action
No client action is necessary for IBM Cloud virtual servers. IBM Cloud has applied mitigations to our VSI cloud hosts worldwide to mitigate the risk to our virtual server clients. While we do not anticipate any issues with the mitigation strategies, we always recommend that clients have a tested backup strategy for IBM Cloud virtual servers. Customers using bare metal systems should follow mitigations recommended by their OS vendor and Intel. IBM has the required tooling to assist customers.
The vulnerabilities do not impact IBM POWER processor architectures or associated microcode. These vulnerabilities are present in many microprocessors, such as processors used by IBM Storage Appliances and IBM Storage Spectrum software running on servers, including IBM Elastic Storage Server systems. To exploit any of these vulnerabilities, an attacker must be able to run malicious code on an affected system. IBM Storage Appliances are not believed to be significantly impacted by these vulnerabilities because, unlike general purpose computing systems, they are closed systems and are designed to prevent users from loading or executing code other than code provided by IBM.
No actions are required concerning IBM POWER processor architectures and associated microcode. IBM Systems will provide patches for any Intel based or supported infrastructure, as required. Should any patches be required they will be made available via our normal customer portals. Per our business as usual process, all information for IBM Z clients can be found at the IBM Z Security Portal. While IBM Storage Appliances are not believed to be significantly impacted — out of an abundance of caution — IBM is evaluating firmware updates provided by server and OS vendors. IBM Storage Spectrum software running on x86 servers must follow the guidelines established by server and OS vendors.
Recommended Systems Customer Action
IBM Storage Spectrum software products can be deployed on customer-provided infrastructure and IBM recommends that all customers apply patches from their supply chain as soon as those become available.
GBS and GTS are assessing infrastructure used to deliver service to clients and will apply patches and remediation efforts as information is available from the various vendors.