Veritas Appliance Statement on Meltdown and Spectre Vulnerabilities

Severity

High

Description

Public security research has disclosed side-channel analysis vulnerabilities identified as "Meltdown" (CVE-2017-5754), "Spectre" (CVE-2017-5753 & CVE-2017-5715), "Spectre-NG" (CVE-2018-3640 & CVE-2018-3639 & CVE-2018-3665 & CVE-2018-3693), "L1TF" (CVE-2018-3615 & CVE-2018-3620 &  CVE-2018-3646), "MFBDS" (CVE-2018-12130), "MSBDS" (CVE-2018-12126), "MLPDS" (CVE-2018-12127), "MDSUM" (CVE-2019-11091), "MDS" (CVE-2019-11135), "VRDS" (CVE-2020-0548) and "L1DCES" (CVE-2020-0549). These vulnerabilities impact products that use x86 architecture, including Intel and other manufacturers' microprocessors.

What we know

• These vulnerabilities do not directly target Veritas software products
• Veritas Appliances are affected because the hardware platform uses Intel components. The impact requires a local user to install and run a binary to gain access to another processes memory.
• The issue is specifically isolated between the hardware architecture and operating system, which affects nearly every hardware vendor using modern processor technologies
• Guidance from our vendors indicate that the mitigation of these vulnerabilities will require updates from both Intel and RedHat

Veritas is committed to the security and safety of its products, our customers, and most importantly, the data we protect. We have evaluated and determined our course of action at this time will be as follows:

• Veritas has addressed these vulnerabilities in its appliance platforms as follows:
  • NetBackup Appliance models 5350, 5250, 5150, 5340, 5240, 5330, and 5230 with software versions 3.3.0.1 and later.
  • NetBackup Virtual Appliance with software versions 3.3.0.1 and later.
  • Flex Appliance models 5350, 5250, 5150, and 5340 with software versions 2.0 and later.
• The new Flex Appliance models 5260 and 5360 are not impacted as they support software version 3.2 and above only.
• Veritas strongly advises customers to upgrade to the latest version if they require remediation.
• It should be noted that the vulnerabilities are considered local only. A user must have local access on the appliance itself to execute these exploits. As always, it is good practice to ensure basic security measures are taken to minimize impact and mitigate risks. Veritas strongly recommends restricting access to critical backup infrastructure, including appliance using industry best practices for access control.
• Variant 2 (CVE-2017-5715) can be addressed by Veritas with an EEB for appliances that use software versions 3.1.1, 3.1.2, 3.2 and later version . See the following link for details and to obtain the EEBs:
  https://www.veritas.com/support/en_US/downloads/update.UPD178963
• Variant 3a (CVE-2018-3640) can be addressed with a BIOS update from Intel. For details, see the "BIOS Update" section below.
• Variant 4 (CVE-2018-3639) can be addressed with a BIOS update from Intel and with a Veritas update to kernel version 3.10.0-862.3.2. For details, see the "BIOS Update" section below. The kernel update is included in software release 3.2 and later version.​​​​​​​

• Spectre-NG (CVE-2018-3665) can be addressed with a Veritas update to kernel version 3.10.0-862.3.3. This update is included in software release 3.2 and later version.

• Variant 1.1 (CVE-2018-3693) can be addressed with a Veritas update to kernel version 3.10.0-862.11.6. This update is included in software release 3.2 and later version.

• L1 Terminal Fault (CVE-2018-3615) can be addressed with a BIOS update from Intel. For details, see the "BIOS Update" section below.

• L1 Terminal Fault (CVE-2018-3620) and (CVE-2018-3646) can be addressed with a BIOS update from Intel and with a Veritas update to kernel version 3.10.0-862.11.6 and microcode update to 2.1-29.10. For the BIOS update, see the "BIOS Update" section below. The kernel and microcode updates are included in software release 3.2 and later version.

• Microarchitectural Fill Buffer Data Sampling (CVE-2018-12130) and (CVE-2018-12126) can be addressed with a BIOS update from Intel. For details, see the "BIOS Update" section below.

• Microarchitectural Load Port Data Sampling (CVE-2018-12127) can be addressed with a BIOS update from Intel. For details, see the "BIOS Update" section below.

• Microarchitectural Sampling Uncacheable Memory (CVE-2019-11091) can be addressed with a BIOS update from Intel. For details, see the "BIOS Update" section below.

• Transactional Synchronization Extensions Asynchronous Abort (CVE-2019-11135) can be addressed with a BIOS update from Intel and with a Veritas update to qemu-kvm version 3.10.0-862.11.6. For the BIOS update, see the "BIOS Update" section below. The qemu-kvm updates is included in software release 3.3.0.1 and later version.

• Vector Register Data Sampling (CVE-2020-0548) can be addressed with a BIOS update from Intel. For details, see the "BIOS Update" section below.

• L1D Cache Eviction Sampling (CVE-2020-0549) can be addressed with a BIOS update from Intel. For details, see the "BIOS Update" section below.

   

  BIOS Update:

          Veritas provides a firmware update tool that lets you update the BIOS to address the Spectre V3a, Spectre V4, L1TF, MFBDS, MSBDS, MLPDS, MDSUM, MDS, VRDS and L1DCES issues. For details and to obtain the tool, see the following article: https://www.veritas.com/support/en_US/article.100046032

Veritas Appliance Platforms that will not receive a patch or update:

• Veritas 5020 and 5030 Target Deduplication Appliance platforms
• • These platforms run versions of SuSE SLES Linux that are beyond End of Support
• Velocity 7330 Appliances
• • This platform runs a version of RHEL that RedHat is not providing an update to us
• Backup Exec 3600 Series Appliances
• • These appliances may be able to receive a patch from Microsoft as they run Microsoft Storage Server 2008R2 as their base platform operating system

Veritas will not be providing patches for Appliance software OR hardware platforms that have reached their End of Support Life. For more information on Appliance EOSL dates, please visit 

https://www.veritas.com/support/en_US/article.100045773

Performance Impact Update

After thorough testing and evaluation, Veritas has determined no performance impact or degradation to any appliance platforms in conjunction with these vulnerabilities, except for Variant 2. Further details about Variant 2 will be available when the EEB is released.

For more information on the vulnerabilities, and a statement from Intel, please review the following links:

• https://meltdownattack.com/
• https://access.redhat.com/security/vulnerabilities/speculativeexecution
• https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

Veritas will communicate any new and updated information as soon as we discover and verify the information.  Questions and comments are welcomed, and should be directed to Veritas Support.

Action Required

Continue to monitor this Alert for updates. Veritas will provide additional communication updates via this Alert on patch strategy, availability, and timing of release to address these vulnerabilities.