Meltdown and Spectre Exploit Advisory

Inuvika Update Regarding CVE-2017-5754, CVE-2017-5715 and CVE-2017-5753 (Spectre and Meltdown Security Flaws)

Overview

Recently, new security-related issues have been identified impacting Intel, AMD, and ARM-based CPU architectures.

While the nature of these issues is hardware-related, Inuvika continues to review the potential impact on OVD Enterprise. This update is intended to advise our customers and partners on currently-known courses of action that can be taken to mitigate possible risks.  Inuvika will provide additional updates if direct impacts on OVD are identified.

Impact on OVD Enterprise

Inuvika believes that currently-supported versions of OVD Enterprise are not directly impacted by the known security issues.

However, the security issues can be exploited both locally (I.e. Within the same OS) and through the virtualization guest boundary.   Therefore, underlying CPU firmware, hypervisor, Guest Operating Systems, cloud platforms, and other third-party components that are part of an OVD Enterprise environment may require updates. 

Known Status of Third Party Components

• Microsoft has released patches for the 2008 R2, 2012 R2, and 2016 versions of the Windows Server Operating System. (Ref: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution )
• Kernel and processor microcode updates have been made available for both Ubuntu 16.04 LTS and Ubuntu 14.04 LTS Operating Systems.  (Ref: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown )
• Kernel and processor microcode updates have been made available for Red Hat Enterprise Linux  6 and 7 Operating Systems. (Ref: https://access.redhat.com/security/vulnerabilities/speculativeexecution )
• VMware has released patches for vSphere ESXi. (Ref: https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html )
• Google, Microsoft and Amazon clouds have been addressed.  Refer to the vendor websites for more information.
• Mozilla Firefox browser. (Ref: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ )
• Apple iOS, macOS, and Safari. (Ref: https://support.apple.com/en-us/HT208394 )
• Nutanix Hyper convergence infrastructure. (Refer to Security Advisory #0007 in the support portal: https://portal.nutanix.com/#/page/static/securityAdvisories )
• Intel security advisory. (Ref: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr )

Current Recommendations for OVD Enterprise Customers

1. Prior to beginning your update, pause and create an overall plan.  Evaluate each individual component of your OVD environment and identify the necessary steps that must be taken.  Inuvika recommends that you prioritize the following:
   1. Hypervisor appliances and server hardware that host OVD
   2. Guest Operating Systems
   3. Backend systems (directory, storage, and application server hardware; and their Operating Systems)
   4. Applications residing on your application servers

2. Contact your hardware or software OEM providers for the most up-to-date information and available patches.

3. Apply the recommended patches. After a patch has been applied, verify that the component is performing as expected.

4. In addition, client devices, their Operating Systems, and applications that access your OVD environment may require updates.  We recommend you contact your device OEMs for further instruction.