Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3

Fixed In:
14.0.0, 13.1.0.4, 13.0.1, 12.1.3.3, 11.6.3.1, 11.5.6

Opened: Feb 20, 2018
Severity: 1-Blocking

Symptoms

Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance. Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Impact

Meltdown/PTI mitigations may negatively impact performance.

Conditions

Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Workaround

Disable CVE-2017-5754 Meltdown/PTI mitigations. To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command: tmsh modify sys db kernel.pti value disable Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled. Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix Information

On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables. Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Behavior Change