Missing Processor MMIO Stale Data Mitigation on GCP VMs (CVE-2022-21123, CVE-2022-21127, etc.)

Question

We are receiving a high-severity vulnerability finding on our GCP Virtual Machines for Processor MMIO Stale Data (likely related to Spectre/Meltdown variants, e.g., CVE-2022-21123, CVE-2022-21127,

escription: We are receiving a high-severity vulnerability finding on our GCP Virtual Machines for Processor MMIO Stale Data (likely related to Spectre/Meltdown variants, e.g., CVE-2022-21123, CVE-2022-21127,CVE-2022-21123,CVE-2022-21125, CVE-2022-21166 ). The vulnerability scanner indicates that the Linux Kernel is missing a necessary mitigation.

Affected Systems:

GCP VMs running Linux Kernel 6.14.0-1017-gcp #18~24.04.1-Ubuntu
GCP VMs running COS Kernel 6.12.46+ cos-125

Diagnostic Output: The /sys/devices/system/cpu/vulnerabilities/mmio_stale_data file reports: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown

Questions for GCP/Mitigation Confirmation:

Legitimacy: Is this a legitimate, exploitable vulnerability in the GCP environment, or is the finding a false positive due to host-level mitigations managed by GCP?
Mitigation Status: If mitigated at the hypervisor or host level, please provide a formal artifact or documentationthat explicitly confirms the mitigation is in place and negates the need for the kernel-level patch on the guest OS. This is required for our security audit.

). The vulnerability scanner indicates that the Linux Kernel is missing a necessary mitigation.

Affected Systems:

GCP VMs running Linux Kernel 6.14.0-1017-gcp #18~24.04.1-Ubuntu
GCP VMs running COS Kernel 6.12.46+ cos-125

Diagnostic Output: The /sys/devices/system/cpu/vulnerabilities/mmio_stale_data file reports: Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown

Questions for GCP/Mitigation Confirmation:

Legitimacy: Is this a legitimate, exploitable vulnerability in the GCP environment, or is the finding a false positive due to host-level mitigations managed by GCP?
Mitigation Status: If mitigated at the hypervisor or host level, please provide a formal artifact or documentationthat explicitly confirms the mitigation is in place and negates the need for the kernel-level patch on the guest OS. This is required for our security audit.

Best answer by kentphelps

Yes - this is a valid finding (I assume from the VM Manager in SCC) telling you your guest OS is missing a patch. More info is available in the Linux Kernel documentation. You can ctrl-f for “Vulnerable: Clear CPU buffers attempted, no microcode” to get more information.

For a formal artifact your best bet is the Google Cloud Infrastructure Security Whitepaper and Google Security Overview which outlines how its "defense-in-depth" approach and secure-by-default infrastructure mitigate risks at the hypervisor level.

kentphelps · Accepted Answer

Yes - this is a valid finding (I assume from the VM Manager in SCC) telling you your guest OS is missing a patch. More info is available in the Linux Kernel documentation. You can ctrl-f for “Vulnerable: Clear CPU buffers attempted, no microcode” to get more information.

For a formal artifact your best bet is the Google Cloud Infrastructure Security Whitepaper and Google Security Overview which outlines how its "defense-in-depth" approach and secure-by-default infrastructure mitigate risks at the hypervisor level.

pullubi · Answer

I have tried installing the latest intel-microcode for my ubuntu server and adding this ff on my kernel boot flags and initiated `update-grub` but the findings persist. Any ideas on what am I missing?

GRUB_CMDLINE_LINUX_DEFAULT="quiet console=tty0 console=ttyS0,115200 consoleblank=0 mitigations=auto,nosmt"

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded