State-of-the-art Cloud solutions
by Softronics

News

Information about the vulnerabilities Meltdown and Spectre

11/01/2018

Version 2.8, 14.06.2018

 

The security gaps Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715) have been publicly announced on the 3. January 2018. According to reports, the concerned processors of Intel, AMD and ARM can have the following consequences as described by Project Zero:

 

  • Variant 1: Bounds Check Bypass (CVE-2017-5753), (Spectre)
  • Variant 2: Branch Target Injektion (CVE-2017-5715), (Spectre)
  • Variant 3: Rogue Data Cache Load (CVE-2017-5754), (Meltdown)

These security gaps allow programs that are running with normal restricted privileges to obtain access to protected areas on the processor (Kernel Memory).

 

Affected processors

ProducerAffected CPU'sVariant 1 (Spectre)Variant 2 (Spectre)Variant 3 (Meltdown)
AMDNo details so far.YesGem. AMD near-zero-riskNo
ARMCortexYesYesYes
IntelCPUs with Out-Of-Order Execution (CPUs since 1995, except for Itanium and Atom before 2013)YesYesYes

Status 11. Januar 2018

 

Affected products

These products are affected by Variant 1:

  • Linux Virtual Server Pro
  • Windows Virtual Server Pro
  • Virtual Server 2.0 Linux
  • Virtual Server 2.0 Windows
  • Linux Dedicated Server Pro
  • Windows Dedicated Server Pro
  • NAS-Cloud
  • Cloud Services

 

Products being clarified

These products are still being clarified and will be added to the list above if necessary

  • No further products

 

Updates / Upgrades

Hardware, BIOS and Firmware
Microcode updates which would require an update of the BIOS might be necessary to seal these security gaps. We are cooperating with the manufactures accordingly.
The corresponding updates on the host systems will be carried out as soon aspossible. We will inform affected customers about any interruptions through our newsletter. If possible, these updates will be carried out without any impact on the customer.

Operating System and Software
You can find information regarding the update-status of the Operating Systems on the corresponding websites. The most important links are listed here:


Web Browser

 

The vulnerability Meltdown and Specter can also be exploited via the web browser. We therefore recommend to always keep the browser up to date.

 

 

The host systems will be maintained with the corresponding updates by us as soon as possible. We will do our best that any interruptions caused by reboots of the host system will be carried out without causing interruptions of our customers. If that is not possible we will inform the affected customers through our newsletter. Because your system is still vulnerable to attacks you must keep your system up to date.

 

Current state of the products

The CPUs used by Softronics are according to the manufacturer's information from 11.01.2018 are not affected by Meltdown. We will test the available security solutions on the host servers and our infrastructure as fast as possible. When the tests have been successfully completed we will swiftly preform the rollout. We usually try to do this without causing interference for our customers. We will inform affected customers about any interruptions through our newsletter.

Product   Effects      BIOS up to dateOS up to date
Host Server "Linux Virtual Server Pro"Variant 1YesIn discussion
Host Server "Windows Virtual Server Pro"Variant 1YesIn discussion
Host Server "Virtual Server 2.0 Linux"Variant 1YesTests running
Host Virtual Server 2.0 WindowsVariant 1YesTests running
Linux Dedicated Server ProVariant 1OpenResponsibility customer1
Windows Dedicated Server ProVariant 1OpenResponsibility customer1

1Patching and keeping the OS up to date is the responsibility of the customer

Responsibility customer

We recommend you install the updates as soon as stable versions are available since the Operating systems installed on our Virtual- and Dedicated servers are vulnerable as well. As of today (19.01.2018) there are not micro updates or patches available for the NAS-Cloud.
We also encourage you to keep your applications up to date as well.
We are happy to assist you with the necessary tasks. To do so, please contact our support.

ProductEffectsBIOS Update1OS Update2Software Update3
Linux Virtual Server ProVariant 1NoYesYes
Windows Virtual Server ProVariant 1NoYesYes
Virtual Server 2.0 LinuxVariant 1NoYesYes
Virtual Server 2.0 WindowsVariant 1NoYesYes
Linux Dedicated Server ProVariant 1openYesYes
Windows Dedicated Server ProVariant 1openYesYes
NAS CloudVariant 2YesYesYes

1Customer can perform BIOS updates
2Customer can perform OS-updates
3Customer can update software and applications

 

Additional information

Revision history

  • Version 2.8, 14.06.2018. Microsoft June Update
  • Version 2.7, 16.04.2018. Microsoft April Update
  • Version 2.6, 11.04.2018, AMD Spectre Mitigation Update
  • Version 2.5, 14.03.2018, Mircosoft March Security Updates
  • Version 2.4, 21.02.2018, Microcodesfor Intel Skylake and Server processors
  • Version 2.3, 12.02.2018, Overview microcode updates planned by Intel
  • Version 2.2, 25.01.2018, Managing Speculation on AMD Processors Whitepaper added
  • Version 2.1, 23.01.2018; information about current Intel patches added
  • Version 2.0, 19.01.2018; added status of products
  • Version 1.5, 18.01.2018; added Link Retpoline
  • Version 1.4, 17.01.2018: Cloud Services added to affected products
  • Version 1.3, 16.01.2018: Information added about NAS-Cloud and Debian
  • version 1.2, 15.01.2018; Information about Web Browser
  • Version 1.1, 15.01.2018; NAS-Cloud added to affected products
  • Version 1.0, 10.01.2018: Initial Version