MENU
Stratus® Product Alert from SolutionsPT
31 October 2018
Lisa Holmes
View Count 77

In relation to ftServer - Security Vulnerabilities known as "Meltdown" and "Spectre"

Summary:

This Alert 3193 has been updated to focus only on the Stratus AUL and its association to the Meltdown/Spectre vulnerabilities and the KB patches. The previous 3193 alert information and history is attached for reference.

This alert will talk specifically about Stratus AUL related to the KB fixes.

Note: This alert currently only pertains to the following CVEs:

  • Variant 1: bounds check bypass CVE-2017-5753 aka Spectre
  • Variant 2: branch target injection CVE-2017-5715 aka Spectre
  • Variant 3: rogue data cache load CVE-2017-5754 aka Meltdown

Major Updates Made in Revision 56 of this alert dated 19th September:

ftServer Sites running W2K16 OR W2K12 R2 with Hyper-V role enabled are advised not to install Microsoft updates released after 30th July 2018.

Sites running above configuration should refer to Alert 3234 for additional details.

The product matrix in this alert has been updated to reflect these new restrictions.

Sites Affected:

Sites that are affected are any ftServer platform Windows customers. However, based on the what Microsoft and Intel have provided for fixes the only platforms that have fixes are:

  • ftServer: 6810, 4810, 2810 – (Eng. Code name: Pegasus-B)
  • ftServer: 6800, 4800, 2800 – (Eng. Code name: Pegasus)
  • ftServer: 6410, 4710, 2710 – (Eng. Code name: Cygnus-I)
  • ftServer: 6400, 4700, 2700 – (Eng. Code name: Cygnus)
  • ftServer: 6310 – (Eng. Code name: Draco-W)
  • ftServer: 6300, 4500, 2600 – (Eng. Code name: Draco)

See Product Matrix for specific details

Issue:

See the previous 3193 history attachment for documentation about the Meltdown/Spectre vulnerabilities.

Action Required:

Several ftServer platforms required a new ftServer AUL to implement the fixes.

In case you want to install OR have already installed any of the following:

  • Security-only-update OR
  • monthly rollup OR
  • preview of monthly rollup

That have been released by Microsoft after 1st January 2018, then your system should either be running OR would need to be upgraded to an AUL release that is on the approval list of this Alert 3193.

See the product matrix for which is the minimum version of the AUL is required.

Details regarding periodic release of Security-only-update, monthly rollup & preview of monthly rollup by Microsoft can viewed at the following URL’s. Microsoft hotfixes that are not listed under the following URL’s should be safe to be installed on ftServer without needing to upgrade to the minimum version of the AUL .

Avoidance:

See the previous 3193 history attachment for documentation about the Meltdown/Spectre vulnerabilities and best practices to help avoid potential problems.

If there is a fix for your ftServer platform moving to the fix is the best option. See Product Matrix attachment.

Available Fixes:

See attached product matrix for the required Stratus AUL release to work with the fixes based on the ftServer platform and OS version.

The variant 2 fix as noted in this alert requires a microcode fix for the OS changes to take advantage of the variant 2 fix. The other variant fixes are part of the OS and do not require the microcode fix. Stratus is waiting on Intel to provide a Stratus version of the microcode. Stratus uses a different microcode than the industry standard version that gets released by Intel because of our lockstep environment to do fault tolerance.

Sites running AUL 11.2.x on Windows 2016 with Hyper-V role enabled should refer to alert 3234

AUL 7.0 & 7.1 is approved for Meltdown/Spectre for non-hyper-V systems ONLY.

You must enable the fix after you load the KB update and then reboot.

Hyper-V systems will need a new Stratus AUL. see product matrix for approved AUL releases

For AUL 11.2 the KB will get installed for you but you must enable the fix and reboot.

It is recommend to call the Stratus CAC and request the script to enable and disable the fix to avoid possible typo’s that could get made.

However if you choose to enable with out the script/ Use the command line statements to modify the registry keys to enable the fix.

If you need to disable the fix for some reason see below for disabling the fix.

ENABLE FIX:

Microsoft requires updating the following registry keys in order to enable the KB fix to work.

If the registry keys are not added the fix is NOT enabled.

The following registry keys need to be applied on both the host and the guest.

To enable the fix use the following command line statements to add entries to the registry.

  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
  • reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

If this is a Hyper-V host: fully shutdown all Virtual Machines (Once firmware updates are available from Stratus, to enable the firmware related mitigation for VMs you have to have the firmware update applied on the host before the VM starts).

Restart the server for changes to take effect.

DISABLE FIX:

If the fix has been enabled and you need to disable the fix use the following command line statements to disable the fix in the registry. Reason for disabling the fix might be for evaluating what the performance impact is with the fix enabled versus disabled.

  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
  • Restart the server for the changes to take effect.

There is no need to change MinVmVersionForCpuBasedMitigations.

For More Information Contact:

Any questions call SolutionsPT support team on 0161 495 4641 or email support@solutionspt.com

File Attachments:

Back to top
Contact Us