Side Channel Vulnerability

(Also known as Spectre and Meltdown)

'Meltdown' and 'Spectre' Information

There are indications that the Meltdown vulnerability is exclusive to Intel processors, while the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors. Procedures are available to help protect devices from the Meltdown and Spectre security vulnerabilities.

Intel released a noteworthy article on January 22, 2018:  Root Cause of Reboot Issue Identified; Updated Guidance for Customer and Partners

It is strongly recommended that baseline performance testing is conducted prior to applying patches to production as performance may be impacted.

Vendors and manufacturers have provided the below information and/or mitigation solutions to address vulnerabilities.

Apple

Updates have been released for Apple iOS High Sierra, and Safari on Sierra and El Capitan to help defend against Spectre. Further information is available at:  https://support.apple.com/en-us/HT208394

Amazon

Amazon Web Services (AWS) is aware of the issue described in CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All instances across the Amazon EC2 fleet are protected from all known threat vectors from the CVEs previously listed. Customers’ instances are protected against these threats from other instances. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads. We will keep customers apprised of additional information with updates to our security bulletin, which can be found here.

More information on these bulletins are available at the Amazon Linux AMI Security Center.

Cisco

DELL & EMC

DELL is working diligently with Intel and others in the industry to address the issue, and recommend you bookmark the following pages where the latest information on affected Dell / Dell EMC products including BIOS updates will be published as they are available.

There is a great volume of inaccurate information on the web. Dell recommends that customers secure appropriate details from industry standard sources such as MITRE and NIST. Source information regarding the two vulnerabilities from the researchers at Graz University of Technology (links for abstracts Spectre and Meltdown) are provided below.

CVE-2017-5715

CVE-2017-5753:

CVE-2017-5754:

Extreme Networks

Extreme has published Vulnerability Notices to provide information on two issues known as Meltdown and Spectre.

F5

F5 – K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754

F5 BIG-IP

First and foremost, there is no exposure on BIG-IP products by way of the data plane. All exposure is limited to the control plane (also known as the management plane).

Furthermore, on the control plane, the vulnerabilities are exploitable only by four authorized, authenticated account roles: Administrator, Resource Administrator, Manager, and iRules Manager. You must be authorized to access the system in one of these roles to even attempt to exploit the vulnerabilities.

All three vulnerabilities require an attacker who can provide and run binary code of their choosing on the BIG-IP platform.

These conditions severely restrict the exposure risk of BIG-IP products.

Impact

F5 continues to investigate the impact of the Spectre and Meltdown vulnerabilities on their products. F5 is focused on providing patched releases as soon as they have fully tested and verified fixes. F5 will update this article with the most current information as soon as it is confirmed.

For more information please review this webpage – https://support.f5.com/csp/article/K91229003

For additional questions or concerns please feel free to call F5 support at 1-888-882-7535, or F5 Account Manager Tony Ganzer at (916) 837-7007 or t.ganzer@f5.com, or F5 SE Chas Lesley at (916) 698-3375 or c.lesley@f5.com. You can also open a support ticket at https://support.f5.com/csp/my-support/home.

HP/HPE

On 3 January 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE Storage products, potentially leading to information disclosure and elevation of privilege. Product specific mitigation steps will be available through the HPE Support Center when available.

Determine if you have a storage system that is impacted by this vulnerability. HPE is maintaining a list of impacted products on the HPE vulnerability website.

HPI

Under Construction

IBM

The latest information from IBM on status and actions. This blog contains links to the product specific sites that articulate support activities.

Juniper

Full Juniper Networks advisory to date:  https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842

State agencies that are Juniper customers that have  questions / concerns can contact State of CA Juniper account team or JTAC directly.  Juniper Account Manager, Michelle Oushakoff, (916) 549-3713 or moushakoff@juniper.net. Juniper Technical Support Phone#: 1-888-314-5822 (toll free, US & Canada)

Juniper customers can get regular and out-of-cycle security advisories specific to Juniper solutions by subscribing with their Juniper support credentials here:  https://www.juniper.net/customers/support/

McAfee

Microsoft

Oracle

The upcoming patch release dates are publicly published here:  https://www.oracle.com/technetwork/topics/security/whatsnew/index.html

A short video about how to access My Oracle Support is located in this video:  https://videohub.oracle.com/media/My+Oracle+Support+Introduction/1_kxsm9sl3/66434132

More detailed instructions about using Oracle Support are available after logging in this video:  ttps://support.oracle.com/epmos/faces/DocumentDisplay?id=1543719.1