Two vulnerabilities (known as Meltdown, CVE-2017-5754, and Spectre, CVE-2017-5753 & CVE-2017-5715) were publicly disclosed on January 3, 2018. These vulnerabilities can impact almost all modern-day CPUs through an architecture design flaw within the hardware itself. Meltdown flaw includes application-level access to system memory, including memory allocated for the kernel. Spectre actually consists of two variants that can include the ability for one application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. Both vulnerabilities are known to be exposed to servers, workstations, mobile devices, web browsers, and more.
BMC continues to monitor the industry regarding these threats, as well as individual vendor/supplier updates related to available patches/fixes. While many patches have been made available, there have also been widespread reports of system performance and stability impacts to various patches, prompting some vendors to pull those patches and recommend against them. In light of this, and in alignment with risk analysis against our services and assets, have prompted the following actions for BMC OnDemand services.
- Anti-virus updated with patch enhancements to support recommended Meltdown/Spectre patching, as well as up-to-date definitions to minimize ability to launch remote execution exploits.
- OS patches applied to shared multi-user systems.
- Infrastructure software hosted by AWS have been addressed.
- Infrastructure software hosted by BMC OnDemand will proceed with required updates by February.
At this time, additional vendor-issued firmware patches are still under review and will await confirmation of stable resolutions before deploying further to customer systems. Once available, patching will be scheduled and coordinated as part of emergency and schedule maintenance windows, as needed.
In the meantime, please note that various mitigations are also in place, including but not limited to, BMC OnDemand services operating in private cloud environments, with dedicated hosting hardware not shared with other companies, therefore minimizing likelihood of exploitation. Intrusion prevention systems also receive updates as needed (at least daily) to monitor specific attack code and websites hosting the attack code as they emerge. Updates will continue to be applied for ongoing coverage updates as new exploits emerge.
More information about these flaws can be found here: https://www.us-cert.gov/ncas/alerts/TA18-004A