We’ve recently updated kernel patch and then we ran the vulnerability scan but its showing below message.

We already encaged Redhat but they suggesting us to contact hardware support.

Please check and suggest us

Message :

This script (v1.0) is primarily designed to detect

CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, and CVE-2019-11091

on supported Red Hat Enterprise Linux systems and kernel packages.

Result may be inaccurate for other RPM based systems.

Detected CPU vendor: Intel

CPU: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz

CPU model: 45 (0x2d)

Running kernel: 3.10.0-957.21.2.el7.x86_64

Architecture: x86_64

Virtualization: vmware

Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown

* CPU microcode update is not detected

OS details :

[root@XXXXX tmp]# cat /etc/redhat-release

Red Hat Enterprise Linux Server release 7.4 (Maipo)

[root@XXXXX tmp]# uname -a

Linux XXXX 3.10.0-957.21.2.el7.x86_64 #1 SMP Tue May 28 09:26:43 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[root@fgtd-learn-rhel74-app001 tmp]#

Redhat response :

Hello,

Per your sosreport we see that your processor is listed as:

$ cat /proc/cpuinfo

model name   : Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz

stepping    : 2

Per Intel's website, more information regarding your processor:

https://ark.intel.com/content/www/us/en/ark/products/64584/intel-xeon-processor-e5-2660-20m-cache-2-20-ghz-8-00-gt-s-intel-qpi.html

This is listed as:

Product Collection Intel® Xeon® Processor E5 Family

Code Name Products formerly Sandy Bridge EP 

As per the following KCS Article:

Is CPU microcode available to address MDS (ZombieLoad) CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 via the microcode_ctl package? 

https://access.redhat.com/articles/4138151

Red Hat does not provide microcode for this CPU Model + stepping combination. While the article does list multiple E5-2660 models and Sandy Bridge, none of them correlate with the stepping or architecture that matches. You may need to obtain a microcode update from Intel for this processor.

Just a note: I did check your microcode_ctl package to verify it is up to date, unfortunately as previously mentioned, our microcode_ctl package does not cover your CPU.

Generally Red Hat provides microcode on a best effort basis. While the following CVE does not pertain to this case, the information regarding Red Hat's microcode still applies:

Is CPU microcode available to address CVE-2017-5715 via the microcode_ctl package?

https://access.redhat.com/articles/3436091

The relevant information in the article is as follows:

"Historically, Red Hat has provided updated microcode, developed by our microprocessor partners, as a customer convenience. Red Hat temporarily suspended this practice in January 2018 while microcode stabilized.

Red Hat is once again providing an updated Intel microcode package, microcode_ctl, and AMD microcode package, linux-firmware, to customers in order to simplify deployment processes and minimize downtime.

Red Hat will continue to update these microcode packages as necessary. Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended, as additional improvements may be available."

As microcode is provided as a convenience, unfortunately there are no ETAs on if/when we will receive microcode for your specific processor. This is yet another reason why we suggest checking with your vendor for updated microcode. Although we may package microcode, it can also be outdated by what the vendor may have available.

Please let me know if you have any additional questions or concerns regarding anything stated here.