Meltdown and Spectre are the two new side channel attacks that exploit newly-discovered vulnerabilities hitting number of computer CPU processors and crippling operations. These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them. These vulnerabilities can allow malicious userspace processes to read kernel memory, thereby potentially causing sensitive kernel information to leak. This might include passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Debian is impacted by these vulnerabilities and in turn impacts all the supported versions Rovius CP i.e. 4.5, 4.5.1, 4.7, 4.7.1 and 4.11. In addition, the various Hypervisors supported by Rovius CP are also impacted.
Red Hat and CentOS are among the impacted Management Server OSs. For details, refer to https://access.redhat.com/security/vulnerabilities/speculativeexecution.
Following are the vulnerabilities for Meltdown and Spectre:
This is the official reference to Meltdown. Common Vulnerabilities and Exposures (CVE) is the Standard for Information Security Vulnerability Names maintained by MITRE.
These are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
Status on the above vulnerabilities from Debian:
CVE-2017-5754 is fixed in Debian7 (Wheezy).
Status on the above vulnerabilities from Hypervisors:
Please check with respective Hypervisors for the current status of the fixes for these vulnerabilities.
- Citrix XenServer: https://support.citrix.com/article/ctx231390
- VMware: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
- HyperV: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
- KVM: https://www.qemu.org/2018/01/04/spectre/
Accelerite shall incorporate the fix from Debian in the SystemVM Templates and release new SystemVM Templates as and when the fix is available from Debian.
We aim to keep posting updates here to provide the best protection for all our customers. Please watch this space.
If you have any more questions, please write to us at firstname.lastname@example.org