Security vulnerability: Microarchitectural Data Sampling (MDS) aka CVE-2018-12126, CVE-2018-12127,CVE-2018-12130, CVE-2019-11091
This document (7023736) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
- Microarchitectural Store Buffer Data Sampling (MSBDS) aka Fallout Attack - CVE-2018-12126
- Microarchitectural Fill Buffer Data Sampling (MFBDS) aka ZombieLoadAttack - CVE-2018-12130
- Microarchitectural Load Port Data Samling (MLPDS) aka RIDL - CVE-2018-12127
- Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - CVE-2019-11091
- The Intel CPU instruction called "VERW" is enhanced by the new CPU Microcode such that it flushes all buffers and ports. The VERW instruction will be called during task switch or VM switch by the patched kernels and hypervisors.
- Disabling Hyper Threading to avoid cross CPU thread information leakage. (Note : This is recommended in high security scenarios).
mds=offThe mitigation is fully disabled.mds=fullEnables the mitigation on vulnerable CPUs.(Note: This is the SUSE default if the option is not given.)mds=full,nosmtEnables the mitigations on vulnerable CPUs, and also disables HyperThreading.
Not affectedThe processor is not affected by these issues.Vulnerable
There is no mitigation enabled for this issue.Vulnerable: Clear CPU buffers attempted, no microcodeNo microcode is not present that the kernel can use.Mitigation: Clear CPU buffersThe microcode is present and used to clear CPU buffers.
SMT: vulnerableSMT is enabled and the CPU is affected by the Load Port and Fill Buffer issues.SMT: disabledSMT is disabled and so not affected by cross thread information leakage.SMT Host state unknownKernel runs in a VM, and the Host SMT state is unknownSMT: mitigatedThis will be displayed if the CPU is only affected by the Store Buffer issue (CVE-2018-12126), and the mitigation is enabled.
If the option is not present, the mitigation is enabled by default,depending if the CPU model is affectedspec-ctrl=mds=yesThe mitigation is force enabled.spec-ctrl=mds=no or spec-ctrl=no-mdsThe mitigation is force disabled.
smt=offThe mitigation is force disabled.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7023736
- Creation Date:21-FEB-19
- Modified Date:17-MAY-19
- SUSESUSE Linux Enterprise Server