Microarchitectural Data Sampling Uncacheable Memory (MDSUM) CVE-2019-11091

2019-05-16T01:42:00
ID F5:K34303485
Type f5
Reporter f5
Modified 2019-06-19T00:12:00

Description

F5 Product Development is evaluating this vulnerability. F5 Product Development has assigned ID 784689 (BIG-IP), ID 786105 (BIG-IQ), ID 787417 (F5 iWorkflow), ID 787401 (Enterprise Manager), and JIRA IDs CPF-25088 and CPF-25089 (Traffix) to this vulnerability.

To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding Security Advisory versioning.

Product | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature
---|---|---|---|---|---|---
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 15.x | 15.0.0 | None2 | Low | 3.8 | Intel CPU / Linux Kernel on the following platforms:

  • BIG-IP 10xx0 series
  • BIG-IP 12xx0 series
  • VIPRION B2250
  • VIPRION B4400N
  • BIG-IP i2x00 series
  • BIG-IP i4x00 series
  • BIG-IP i5x00 series
  • BIG-IP i7x00 series
  • BIG-IP i10x00 series
  • BIG-IP i11x00 series
  • BIG-IP i15x00 series
    14.x | 14.0.0 - 14.1.0 | None2
    13.x | 13.0.0 - 13.1.1 | None2
    12.x | 12.0.0 - 12.1.4 | None2
    11.x | 11.6.0 - 11.6.4 | None2
    Enterprise Manager | 3.x | 3.1.1 | None | Low | 3.8 | Intel CPU / Linux Kernel on the following platforms:

  • Enterprise Manager 4000
    BIG-IQ Centralized Management | 6.x | 6.0.0 - 6.1.0 | None | Low | 3.8 | Intel CPU / Linux Kernel on the following platforms:

  • BIG-IQ 7000
    5.x | 5.0.0 - 5.4.0 | None
    F5 iWorkflow | 2.x | 2.3.0 | None | Low | 3.8 | Intel CPU (see affected CPUs)
    Linux Kernel
    Traffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Low | 3.8 | Intel CPU (see affected CPUs)
    Linux Kernel

1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

2Updated Microcode has been made available from Intel. F5 does not plan to release an official fix for this issue that is based on Intel's microcode updates. The rationale for this decision is based on significant performance degradation seen when enabling Intel's microcode fixes in our platforms. During testing of the microcode fix, F5 has observed from 10% to over 50% performance degradation for many workloads.

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Fixes introduced in column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

Mitigation

The MDS vulnerabilities require that an attacker can provide and run binary code on the BIG-IP platform. Only users with Administrator, Resource Administrator, Manager, and iRules Manager privileges are able to exploit the MDS vulnerability. F5 recommends that you restrict these roles to trusted users.

Exploiting this vulnerability requires two processes to share the same L1 and L2 cache. To prevent exploitation of this vulnerability between guests in a multi-tenant vCMP environment, ensure that each guest is allocated a minimum of two cores.

To completely mitigate MDS requires an Intel microcode update and associated Linux kernel patches. If a kernel and microcode update is unavailable, the only way to completely mitigate the MDS vulnerability is to disable SMT. This action will cause performance degradation in most workloads. F5 recommends customers evaluate if mitigation is required in their environment, taking into account the performance impact. Currently, F5 is working on an integration strategy for full mitigation by conducting an extensive test campaign to characterize the impact of the fixes on system performance and stability, and understanding potential issues. F5 will update this article with details of the fixes as they become available.

Mitigation is not required if user space applications are from a trusted source and do not execute untrusted code that is supplied externally.