Information about the vulnerabilities Meltdown and Spectre
Version 2.4, 21.02.2018
The security gaps Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715) have been publicly announced on the 3. January 2018. According to reports, the concerned processors of Intel, AMD and ARM can have the following consequences as described by Project Zero:
- Variant 1: Bounds Check Bypass (CVE-2017-5753), (Spectre)
- Variant 2: Branch Target Injektion (CVE-2017-5715), (Spectre)
- Variant 3: Rogue Data Cache Load (CVE-2017-5754), (Meltdown)
These security gaps allow programs that are running with normal restricted privileges to obtain access to protected areas on the processor (Kernel Memory).
|Producer||Affected CPU's||Variant 1 (Spectre)||Variant 2 (Spectre)||Variant 3 (Meltdown)|
|AMD||No details so far.||Yes||Gem. AMD near-zero-risk||No|
|Intel||CPUs with Out-Of-Order Execution (CPUs since 1995, except for Itanium and Atom before 2013)||Yes||Yes||Yes|
These products are affected by Variant 1:
- Linux Virtual Server Pro
- Windows Virtual Server Pro
- Virtual Server 2.0 Linux
- Virtual Server 2.0 Windows
- Linux Dedicated Server Pro
- Windows Dedicated Server Pro
- Linux Webhosting
- Cloud Services
Products being clarified
These products are still being clarified and will be added to the list above if necessary
- No further products
Updates / Upgrades
Hardware, BIOS and Firmware
Microcode updates which would require an update of the BIOS might be necessary to seal these security gaps. We are cooperating with the manufactures accordingly.
The corresponding updates on the host systems will be carried out as soon aspossible. We will inform affected customers about any interruptions through our newsletter. If possible, these updates will be carried out without any impact on the customer.
Operating System and Software
You can find information regarding the update-status of the Operating Systems on the corresponding websites. The most important links are listed here:
The vulnerability Meltdown and Specter can also be exploited via the web browser. We therefore recommend to always keep the browser up to date.
The host systems will be maintained with the corresponding updates by us as soon as possible. We will do our best that any interruptions caused by reboots of the host system will be carried out without causing interruptions of our customers. If that is not possible we will inform the affected customers through our newsletter. Because your system is still vulnerable to attacks you must keep your system up to date.
Current state of the products
The CPUs used by Softronics are according to the manufacturer's information from 11.01.2018 are not affected by Meltdown. We will test the available security solutions on the host servers and our infrastructure as fast as possible. When the tests have been successfully completed we will swiftly preform the rollout. We usually try to do this without causing interference for our customers. We will inform affected customers about any interruptions through our newsletter.
|Product||Effects||BIOS aktuell||OS aktuell|
|Host Server "Linux Virtual Server Pro"||Variant 1||Yes||In discussion|
|Host Server "Windows Virtual Server Pro"||Variant 1||Yes||In discussion|
|Host Server "Virtual Server 2.0 Linux"||Variant 1||Yes||Tests running|
|Host Virtual Server 2.0 Windows||Variant 1||Yes||Tests running|
|Linux Dedicated Server Pro||Variant 1||Open||Responsibility customer1|
|Windows Dedicated Server Pro||Variant 1||Open||Responsibility customer1|
|Linux Webhosting||Variant 1||Yes||In Abklärung|
|NAS Cloud||Variant 2||Open||Responsibility customer1|
1Patching and keeping the OS up to date is the responsibility of the customer
We recommend you install the updates as soon as stable versions are available since the Operating systems installed on our Virtual- and Dedicated servers are vulnerable as well. As of today (19.01.2018) there are not micro updates or patches available for the NAS-Cloud.
We also encourage you to keep your applications up to date as well.
We are happy to assist you with the necessary tasks. To do so, please contact our support.
|Product||Effects||BIOS Update1||OS Update2||Software Update3|
|Linux Virtual Server Pro||Variant 1||No||Yes||Yes|
|Windows Virtual Server Pro||Variant 1||No||Yes||Yes|
|Virtual Server 2.0 Linux||Variant 1||No||Yes||Yes|
|Virtual Server 2.0 Windows||Variant 1||No||Yes||Yes|
|Linux Dedicated Server Pro||Variant 1||Offen||Yes||Yes|
|Windows Dedicated Server Pro||Variant 1||Offen||Yes||Yes|
|Linux Webhosting||Variant 1||No||No||Yes|
|NAS Cloud||Variant 2||Yes||Yes||Yes|
2Customer can perform OS-updates
3Customer can update software and applications
- Mitentdecker warnt vor erstem Schadcode (heise.de, 11.01.2018)
- Google patcht eigene Server ohne Leistungsverlust (GameStar.de, 15.01.2018)
- Return trampolin, Retpoline (Google.com, 19.01.2019)
- Intel warnt vor eigenen Patches (CHIP.de, 23.01.2018)
- Managing Speculation on AMD Processors Whitepaper (amd.com, 24.01.2018)
- Intel microcode revision guidance (intel.com, 08.02.2018)
- Intel firmware updates for Kaby-, Coffe-Lake and Skylake (intel.com, 20.02.2018)
- Version 2.4, 21.02.2018, Microcodesfor Intel Skylake and Server processors
- Version 2.3, 12.02.2018, Overview microcode updates planned by Intel
- Version 2.2, 25.01.2018, Managing Speculation on AMD Processors Whitepaper added
- Version 2.1, 23.01.2018; information about current Intel patches added
- Version 2.0, 19.01.2018; added status of products
- Version 1.5, 18.01.2018; added Link Retpoline
- Version 1.4, 17.01.2018: Cloud Services added to affected products
- Version 1.3, 16.01.2018: Information added about NAS-Cloud and Debian
- version 1.2, 15.01.2018; Information about Web Browser
- Version 1.1, 15.01.2018; NAS-Cloud added to affected products
- Version 1.0, 10.01.2018: Initial Version up to date