Company Update: Meltdown and Spectre Vulnerabilities

Cloudhelix is aware of potential security exposures with certain Intel CPU components, which have been named the ‘Meltdown’ and ‘Spectre’ vulnerabilities.

The Meltdown vulnerabilities (Common Vulnerabilities and Exposures references CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715) are related to speculative execution mechanisms supported by many modern processors. During code prediction, a CPU could move data from one memory location to another and under certain conditions pieces of this data could be observed by an exploit.

johannes-plenio-377226.jpg

At this moment, Intel is not aware of any malware that is using these exploits.

Cloudhelix advises its clients to be responsible with software installs during this time in order to reduce the risk presented by Meltdown. As standard, Cloudhelix deploys good practice and mitigation in order to reduce potential threats.

For ESXi hosts on Cloudhelix’s multi-tenanted platform, VMware have published an update which Cloudhelix have applied. HP have published an BIOS update which has also been applied to these hosts. Customers with dedicated hardware platforms have been contacted individually by their service management team to arrange a time to apply the above patches.

To mitigate the Meltdown vulnerabilities, Microsoft, Apple and Linux kernel vendors will provide patches for their operating system via their normal update cycle. For customers subscribing to a managed service from Cloudhelix, these patches will be applied by Cloudhelix in the customer’s defined patching window and an automated ticket opened to confirm when work is complete.

OS TYPE REMEDIATION METHOD

Windows Server 2016

Install the following KB: 4056890

Windows Server 2012 R2

Install the following KB: 4056898

Windows Server 2008 R2

Install the following KB: 4056897

Windows Server 2008

the following KB: Not available 

RHEL/CentOS 7.x


Apply all Important security updates including: kernel-3.10.0-693.11.6.el7

RHEL/CentOS 6.x


Apply all Important security updates including: kernel-2.6.32-696.18.7.el6

Ubuntu

Check for latest update at the following link: https://goo.gl/1THtZx

For the Spectre vulnerability, software updates to patch particular flows are possible, though not yet available. The vulnerability is caused by the way microprocessors function, which means there’s no solution to patch the exploit without redesigning the operating system and microprocessor itself.

If customers have specific questions or concerns, please email support@cloudhelix.io where the team will be able to answer specific queries.

There is also a page on the Intel website with frequently asked questions and additional info on the vulnerabilities, as well as an announcement listing all CPUs known to be affected.

Posted in Company announcement on Jan 08, 2018