Meltdown and Spectre are a group of three vulnerabilities discovered in 2017 and publicly announced January 3, 2018. Each of these vulnerabilities is exploited using a different attack vector, but all are related to weaknesses in the implementation of processor speculative execution.
Meltdown and Spectre have been described as “catastrophic” a by security analysts and have received extensive press coverage. Operating system and microprocessor vendors were very responsive and quickly rushed out patches and updates, but these initial patches caused issues with CPU performance degradation and spontaneous server reboots. Consequently, many of our customers have contacted us seeking information and recommendations regarding the patches.
In order to provide the timeliest information, we have created this web page, which will be updated as new information becomes available.
It is important to note that the speculative execution vulnerabilities are a result of inherent weaknesses in microprocessor functionality and are mitigated through a combination of firmware provided by the microprocessor vendor and operating system updates provided by the operating system (OS) vendor. Since Meltdown and Spectre are not related to weaknesses in SecureLogix software applications, no software updates or upgrades to our applications are required to address these vulnerabilities.
Status and Patches
Spectre and Meltdown consist of three separate vulnerabilities, as noted in the following table.
|Vulnerability||CVE||Exploit Name||Public Vulnerability Name||Patch Method|
|Spectre||2017-5753||Variant 1||Bounds Check Bypass||OS|
|Spectre||2017-5715||Variant 2||Branch Target Injection||OS / Firmware|
|Meltdown||2017-5754||Variant 3||Rogue Data Cache Load||OS|
The specific recommendations and support provided by SecureLogix depend on the product and hosting method, as described in the following sections.
Customer-Owned and Managed ETM® Servers
The SecureLogix® Customer Support service offering does not include furnishing or installing operating system software updates and upgrades. SecureLogix customers will need to obtain and install updates to mitigate Spectre and Meltdown themselves. That said, SecureLogix customer support is ready to provide technical support and assistance with the ETM system software applications.
Our general recommendation for all security vulnerabilities is that customers should follow their established policies for applying security patches and updates and this is no different for Spectre and Meltdown.
Reports of performance degradation and reliability issues with the Spectre and Meltdown patches have caused many organizations to delay installing those updates. SecureLogix software applications and the servers they run on are no more nor less susceptible to these reported issues. Therefore, SecureLogix customers will want to stay up to date with the changing status of the microprocessor and operating system vendors’ patches in order to make informed decisions.
ETM® MSSV Customers with On-Premise ETM® Management Servers
The Managed Security Service for Voice (MSSV) includes remote installation of software updates and upgrades for SecureLogix software applications. It does not include installation of OS or BIOS upgrades. Consequently, MSSV customers should follow the guidance described in the preceding section for “Customer-Owned and Managed ETM Servers.”
Hosted ETM® Server Customers
ETM hosting service customers are entitled to both ETM software and operating system updates and upgrades.
ETM hosting services are implemented in Amazon Web Services (AWS). AWS has updated their hypervisor for all server instances as well as each of the ancillary services that we use to support ETM Management servers. Customers who need more detailed information about AWS’s response to the Spectre and Meltdown vulnerabilities should refer to this page for the latest information.
SecureLogix has applied the most current Spectre and Meltdown patches to the CentOS operating system on the individual ETM Management Server instances for all customers. SecureLogix will continue to monitor announcements and install updates as required.
PolicyGuru® Solution Customers
PolicyGuru Solution customers with Managed Services contracts are eligible for both product and operating system updates and upgrades.
SecureLogix testing with the initial Linux operating system patches resulted in a dramatic degradation of performance that would have rendered PolicyGuru systems inoperative, and therefore we could not recommend installing those patches. As of March 14, 2018, SecureLogix has completed testing the most current patches for CVE-2017-5753 and 2017-5754 and we are ready to discuss customer upgrades.
Intel announced on Feb 20 that it had released new microcode updates for several processors to address Spectre Variant 2 (CVE-2017-5715), but updates are not yet available for all processors used in SecureLogix server platforms. We will continue to monitor for microcode update availability for processors used in SecureLogix servers. As updates become available, we will begin testing the new microcode as soon as possible; however, at this time we do not have an anticipated date when we will be able to make recommendations to our customers. As a reminder, Intel advised in January that customers should stop deploying their initial firmware update. Consequently, we intend to proceed cautiously on these new updates.
For Additional Information
Please contact SecureLogix Technical Support.