We have further updated the OSU packages which contain fixes from Red Hat which addresses previous issues we reported with Xen and AWS based virtual guests.
This OS Update (OSU) contains fixes and mitigations for the Meltdown and Spectre vulnerabilities. As a single-use restricted appliance, the risk of these vulnerabilities to BMC Discovery is low, but to follow security best practices we would recommend applying the update in most cases.
This update also contains the Red Hat fix for the issue, noted in the previous (23 January 2018 on CentOS 6 and 22 January 2018 on RHEL 6)OSU where a paravirtualized guest on XEN, including AWS and other cloud platforms, could be rendered unbootable.
For more information on this OSU, please reference the following documentation:
For Discovery appliances on v11.1 or earlier: 25 January 2018 on RHEL 6 - BMC Discovery OS upgrades - BMC Documentation
For Discovery appliances on v11.2: 27 January 2018 on CentOS 6 - BMC Discovery OS upgrades - BMC Documentation
Hello BMC Discovery Community,
We would like to make you aware that the underlying OS used by BMC Discovery is affected by the spectre and meltdown vulnerabilities. Red Hat have published a kernel update (version 2.6.32-696.18.7) to mitigate some aspects of the ‘Meltdown’ and ‘Spectre’ CPU vulnerabilities. We had planned to roll this into an extra OS update.
However, as we prepared this update we learnt that this kernel update had rendered some systems unbootable. This only applies to certain hypervisors and certain VM build types, but given the serious consequences we could no longer publish the update in its current form. We are now working with Red Hat in pursuit of an early resolution to the fault.
Although these CPU vulnerabilities are high profile at present, the risk to the BMC Discovery appliance is low. All variants of the vulnerabilities apply to locally-executing code gaining improper access to memory. As an appliance, the Discovery system should not be running any unapproved software, and perimeter security remains the main line of defense for the BMC Discovery appliance.
We will of course provide updated operating system packages when we believe it is safe to do so.
For more information on the vulnerabilities see the following pages: