This customer communication is an update to the message BMC posted on Jan 5th about two major CPU vulnerabilities known as Meltdown and Spectre (https://communities.bmc.com/blogs/application-security-news/2018/01/05/cpu-vulnerabilities-meltdown-cve-2017-5754-and-spectre-cve-2017-5753-cve-2017-5715).
The current known vulnerability variants of Meltdown and Spectre such as bounds check bypass, branch target injection, and rogue data cache load are specific to CPU hardware implementations. Remediation for these variants are currently available from CPU and Operating System (OS) vendors through firmware updates and software patches (details can be found in the US-CERT link below).
For BMC software that is hosted on-premise at customer locations, BMC recommends that those customers follow their internal vulnerability management process and apply the appropriate patches according to vendor guidelines.
In cases where the software is running on BMC-provided OS or application stacks (appliances), BMC is working diligently with OS vendors to apply stable patches where necessary.
For BMC’s SaaS offerings, BMC’s operation teams have been tracking vendors for availability of stable patches and have been applying them to BMC’s SaaS infrastructure as soon as they have become available.
BMC will continue to closely monitor this evolving situation and provide additional details and maintenance notifications as needed.
More information about these vulnerabilities can be found here: https://www.us-cert.gov/ncas/alerts/TA18-004A