Page tree
Skip to end of metadata
Go to start of metadata

Overview

Watch for Updates

This advisory may be updated with additional information. Please login and Watch this page if you would like to be notified of updates.

Impact

IMPORTANT

Published2018-01-05
Last Updated2018-01-06
Related CVE(s)

CVE-2017-5715

CVE-2017-5753

CVE-2017-5754

Related Bulletins

2018-01-05 Service Bulletin: Unix Team Managed Systems Mass Reboot Schedule (Meltdown and Spectre)

2018-01-06 Service Bulletin: IST Cloud - VPS / Dedicated Compute Patching (Spectre)

Details

Security researchers have discovered and demonstrated three separate vulnerabilities in the way many CPU architectures implement performance features known as speculative execution and indirect branch prediction. Exploitation of these vulnerabilities may allow an attacker to access sensitive information like passwords and other secrets. Two of these vulnerabilities collectively known as "Spectre", while the third is known as "Meltdown".

Meltdown appears to affect all recent Intel CPUs and some ARM architectures, and is relatively easier to exploit than Spectre.
The fixes for these issues may have some performance impact on applications.

These vulnerabilities affect all operating systems running on affected CPUs, and vendors are making patches available to mitigate them. However, at least one of the vulnerabilities also requires a firmware (CPU microcode) update to allow operating systems to fully address.

Mitigation

Full mitigation of these three vulnerabilities requires both patching of operating systems whether they are running on physical hardware or a virtual machine as well as updates to hypervisors and CPU firmware.

Application vendors may release updates to their products to introduce some mitigations. Customers should monitor for any application updates.

Patching Responsibility

If you are an IST customer, the specific actions you need to take depend on whether you are running self-managed workloads directly on our VPS/VMware service or if we also manage your VMs and their operating systems.


IST Data and Platform ServicesCustomer
Self-managed VM

VMware ESXi hypervisor patches

Hardware (CPU microcode) updates

OS patches and reboots

Application patches (if applicable)

IST-managed VM

OS patches and reboots

VMware ESXi hypervisor patches

Hardware (CPU microcode) updates

Application patches (if applicable)

IST Cloud (VPS and Dedicated Compute VMware Services)

The Cloud Team is reviewing and testing updates from Dell and VMware.

Please see 2018-01-06 Service Bulletin: IST Cloud - VPS / Dedicated Compute Patching (Spectre) for the latest details on patching schedules.

Dell is providing BIOS updates that include updated firmware and CPU microcode.
VMware's September 2017 patch release for ESXi included a mitigation for CVE-2017-5715. This has already been deployed in our environment.

We currently expect to begin applying updates the week of 8 January.
Hypervisors will be rebooted during updates, but all workloads will be migrated to other hardware and not experience any downtime.

IST UNIX (Managed Linux Servers)

The Unix Team is evaluating the patches from Red Hat for RHEL.

We currently expect patches to install automatically the week of 8 January for most customer systems.
We will work with remaining customers on out-of-cycle patching.

All managed systems will require a reboot after the kernel patch is installed.
Please see 2018-01-05 Service Bulletin: Unix Team Managed Systems Mass Reboot Schedule (Meltdown and Spectre) for details on reboot schedules.
Standard Support systems will be automatically rebooted on a schedule around 6PM on a business day.
Extended Support systems will be scheduled and coordinated with customers.

Red Hat Resources

IST Windows (Managed Windows Servers)

The Windows Team is evaluating patches from Microsoft and waiting for certification of compatibility with security software.


Timeline

Date/TimeAffected CustomersActions
2018-01-05 – 2018-01-07N/A - Internal TestingTesting of BIOS updates on development hypervisors
2018-01-08 – 2018-01-12Cloud (VMware VPS and Dedicated Compute)Rollout of BIOS updates to hypervisor servers
2018-01-08 – 2018-01-12UNIX CustomersRollout of Red Hat OS patches
2018-01-08 – 2018-01-22UNIX CustomersScheduled reboot of servers after patching

References

Update History

DateUpdate Summary
2018-01-05Initial Publication
2018-01-05Added links to Red Hat resources
2018-01-06Added link to IST Cloud Infrastructure bulletin