Wind River Support Network

HomeSafety and Security NoticesWind River Security Vulnerability Notice: several CVEs released by Intel Product Security Center in November 12, 2019

Wind River Security Vulnerability Notice: several CVEs released by Intel Product Security Center in November 12, 2019

Released: --


Wind River Security Vulnerability Notice: several CVEs on Intel products may effect on Wind River Linux

Affected Product Versions

Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 5, Wind River Linux 6, Wind River Linux 7, Wind River Linux 8, Wind River Linux 4


In November 12, 2019, Intel Product Security Center released several CVEs, some of them may effect on system runing WRLinux. All of them can be access from the entrence of Intel Product Security Center:

Note: Press the "Show more" button just under the table , or you can only see the top four of them.

CVE-2019-11135 and CVE-2018-12207, related to Intel CPU.

CVE-2019-0140, CVE-2019-0145, CVE-2019-0139, CVE-2019-0143, CVE-2019-0144, CVE-2019-0146, CVE-2019-0147, CVE-2019-0148, CVE-2019-0149, CVE-2019-0150, related to Intel Ethernet 700 Series Controller.

CVE-2019-0154 and CVE-2019-0155, related to Intel processor graphics.

CVE-2018-12207: Intel Processor Machine Check Error Advisory

CVE-2019-11135: Intel TSX Asynchronous Abort (TAA)

Affected Windriver Linux releases:

All releases including Wind River Linux LTS 19, Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 8, Wind River Linux 7

Affected software components:

Linux kernel.

Affected hardware:

Almost all Intel CPUs, different CVE issues related to different CPU, for details, plese refer to related webpag: CVE-2019-11135, CVE-2019-11139, CVE-2019-0154, CVE-2019-0155.

Intel Ethernet 700 Series Controller.


For CPU related issue, upgrade CPU microcode once available.

For NIC controller issue, use newest driver and upgrade the newest firmware.


  • For these two CVEs related to Intel CPU, if your CPU not been listed in these two web pages, please just ignore them: CVE-2019-11135, CVE-2019-11139
  • For the microcode upgrading, to make a full mitigation, the new microcode should be upgraded through BIOS. So please contact your BIOS vendor for it.
  • For these NIC related CVEs, they only effect on Intel Ethernet 700 Series Controller, in linux it called "i40e", if you have no such NIC device, just ignore them.

Additional References

Microcode of Intel CPU: Binary file of microcode for Intel CPUs.

NVM Update Utility for Intel® Ethernet Adapters 700 Series : NIC firmware and tools used to upgrade it.

Intel Ethernet Adapter Complete Driver Pack: software driver, including Intel Ethernet 700 Series Controller.

We are porting all necessary kernel patches on all our supporting releases, at the same time, fetching and upgrading the microcode recipe. We will continue to update this web page and once we have any progress you can get it here.

For any questions or requirements, please contact your local WR support team, or mail to directly.


  • 12/11/2019: Add CVE-2019-0154 and CVE-2019-0155.
  • 11/25/2019: Add CVE-2018-12207 and CVE-2019-11135.
  • 11/18/2019: Add method to download newest firmware and related tools for Intel Ethernet Network Adapter 700 Series.
  • 11/15/2019: Add LTS-1019; Add method to build newest I40E driver for all supported WRL releases execpt WRL8.
  • 11/14/2019: Based on Intel's document, CVE-2019-0142 only effects on Windows, so remove it.
  • 11/13/2019: Initial

Installation Notes

Steps to build NIC driver : i40e

For all supported releases except WRL8:

1) Download the newest driver package from Intel:

There are some older versions like 24_2, 24.1 may also fixed those CVEs but now, we only tried v-24.3, the newest version. The version of i40e in 24.3 is 2.10.19.

2) Get the source code from

$ mkdir /PATCH_1

$ cp /PATCH_1

$ cd /PATCH_1

$ md5sum


$ unzip


$ md5sum PRO40GB/Linux/i40e-

9af74c805302b85ed92b68fd41b18e3e PRO40GB/Linux/i40e-

$ cp PRO40GB/Linux/i40e- /PATH_2_BUILD_DRIVER
$ tar zxvf i40e-
Now you get the source code of newest i40e driver in "/PATH_2_BUILD_DRIVER/i40e-".

3) Prepare build envirnonment


$ . oe-init-build-env

# suppose your kernel is linux-yocto.

$ bitbake linux-yocto -c devshell

BTW: For WRL9 and earlier release, the command line should be:

$ make bbs

$ bitbake linux-windriver -c devshell

4) Build I40E driver

$ make menuconfig

Set CONFIG_I40E=n manually.

$ make CONFIG_I40E=m M=/PATH_2_BUILD_DRIVER/i40e- modules

Now you get the kene module /PATH_2_BUILD_DRIVER/i40e- .

Steps to upgrade firmware for Intel Ethernet 700 Series Controller

The package fits for Linux, Windows and some other OS environment

1) Download the newest Non-Volatile Memory (NVM) Update Utility package from Intel:

In this web page, you can get the newest package:

This package can be used to upgrade the firmware on Linux, Windows, EFI, VMware ESX and FreeBDS.

$ md5sum


2) Unpackage it and choose the one fit for you, for Linux:

$ unzip



inflating: 700Series_NVMUpdatePackage_v7_10_ESX.tar.gz

inflating: 700Series_NVMUpdatePackage_v7_10_FreeBSD.tar.gz

inflating: 700Series_NVMUpdatePackage_v7_10_Linux.tar.gz

inflating: 700Series_NVMUpdatePackage_v7_10_Windows.exe

# here the xxx_Linux.tar.gz is the one for Linux.
$ md5sum 700Series_NVMUpdatePackage_v7_10_Linux.tar.gz
a8a2ae2e0e4e1739efe146cbfae3a163 700Series_NVMUpdatePackage_v7_10_Linux.tar.gz
$ tar zxvf 700Series_NVMUpdatePackage_v7_10_Linux.tar.gz
$ cd 700Series/Linux_x64
$md5sum nvmupdate64e
d86729bc0fb93d6805693346c85e11a2 nvmupdate64e
$file nvmupdate64e
nvmupdate64e: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.18, BuildID[sha1]=52521145cf59b6bdb075a01e498786d521edd4c2, stripped
$ ./nvmupdate64e

Binary file "nvmupdate64e" above is the very tool used to upgrade the NIC firmware. It is only fit for x86-64 enveironment. For more detailed method to upgrade the firmware, plese refer to the "readme.txt" in the same directory as "nvmupdate64e".

BTW: Beside the "700Series_NVMUpdatePackage_v7_10_Linux.tar.gz", there are several other tar.gz packages, for example "700Series_NVMUpdatePackage_v7_10_Windows.exe" is used for Windows environment.

Live chat