Oracle has released patches for the latest Spectre CPU flaws and a fix for the Lazy floating-point unit (FPU) state restore issue affecting Intel CPUs.
Oracle’s updates address the Spectre CPU flaws revealed in May, including CVE-2018-3640, also known as Spectre variant 3a, and CVE-2018-3639, Spectre variant 4.
The fix for Spectre version 4 needs both software and microcode updates, while fixing Spectre version 3a only requires microcode updates.
Oracle has released software-based patches for Oracle Linux and Oracle VM with Intel’s microcode updates for x86 hardware.
Oracle director of security assurance, Eric Maurice, said the company will release more microcode updates and firmware patches as they become available from Intel.
Oracle has also released updates for Red Hat Compatible Kernel (RHCK) to address CVE-2018-3665, the Lazy FPU issue that affects operating systems and VMs running on x86 microprocessors.
This update can be installed using Oracle’s Ksplice tool for patching Oracle Linux.
Ksplice updates are also available for Oracle Unbreakable Enterprise Kernel Release 4 (UEKR4) on Oracle Linux 6 and Oracle Linux 7, which bring additional improved fixes for Spectre variant 2, and Spectre variant 3a.
Under Single Thread Indirect Branch Predictors (STIBP) enable failure, Oracle notes: “Incorrect masking could prevent the STIBP feature of the IA32_SPEC_CTRL MSR from being set. Guests that used the STIBP feature to mitigate Spectre v2 would not be fully mitigated.”
That update also includes a fix for Spectre Variant 3a specific to AMD systems.
“The original vendor fix for CVE-2018-3639 did not expose the mitigation to KVM guests on AMD or correctly handle symmetric multithreading (SMT) systems.
“This update enables the speculative store bypass mitigation full time to protect guests and SMT systems by default on AMD systems and can be manually enabled/disable by writing 1/0 to /proc/sys/vm/ksplice_ssbd_control. The /proc/sys/vm/ksplice_ssbd_status file reports the current mitigation status,” Oracle notes.