Please note that this advisory only applies to Intel Processors. You can find guidance for environments affected by ADV190013 in the Recommendations section of this article. SQL Server does not have any specific security patches for the issue described in ADV190013. Microsoft published ADV190013 - Microsoft Guidance to Mitigate Microarchitectural Data Sampling Vulnerabilities in May 2019. For general guidance to mitigate this class of vulnerability, see Guidance for mitigating speculative execution side-channel vulnerabilities This includes microcode from device OEMs and, in some cases, updates to antivirus software.įor more information about the vulnerabilities, see Microsoft Security Advisory ADV180002. To get all available protections, hardware or firmware and software updates are required. Microsoft continues to work closely together with industry partners, including chip makers, hardware OEMs, and application vendors, to protect customers. Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. See the following sections for more information. We have also taken action to secure our cloud services. Microsoft has released several updates to help mitigate these vulnerabilities. Therefore, we advise customers to seek guidance from those vendors. Note This issue also affects other systems, such as Android, Chrome, iOS, and MacOS. Microsoft is aware of a new publicly disclosed class of vulnerabilities referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems. As a result 0 should always enable everything, so why setting to 8 or 72?įor my meaning the registry value "FeatureSettingsOverrideMask" also should not be 3, because this would only represents 2 bits, but we now have 3 features to disable/enable.Microsoft SQL Server More. In FAQ "Can you provide more details about the registry values" it is described, that if a bit is set to 0 the related mitigation is enabled. In earlier versions of this article the setting for "FeatureSettingsOverride" was always 0. None AMD: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f Manage mitigations for CVE-2018-3639 (Speculative Store Bypass), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown) :ĪMD: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f In this article there are different settings for FeatureSettingsOverride for AMD and None AMD processors. It would be very helpful, if Microsoft documents this properly. Please note, that I'm developping security compliance tools and need to report the correct result. That I always rebooted the Server after doing registry changes.Īs a result it looks like that the patch really fixes nothing without additional registry settings, is this really true? The result without existing registry values are the same as disabled registry settings. I did some check with the mentioned powershell script and saw that the result without existing registry values and enabled registry settings are different. Do I need to set them manually? I couldn't believe that, I expected that the installation does it. Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /fĪfter Installation of patch KB4056898 on a W2K12 R2 Server, both registry values doesn't exist. Restart the computer for the changes to take effect. Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f It is described, that 2 registry values need to be set to enable the fix:
0 Comments
Leave a Reply. |