Veritas Appliance Statement on Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)

  • Article ID:100041496
  • Modified Date:
  • Product(s):

Severity

High

Description

Public security research has disclosed side-channel analysis vulnerabilities identified as "Meltdown" (CVE-2017-5754) and "Spectre" (CVE-2017-5753 & CVE-2017-5715) that impact products using x86 architecture, including Intel and other manufacturers' microprocessors.

What we know

  • These vulnerabilities do not directly target Veritas software products
  • Veritas Appliances are affected because the hardware platform uses Intel components. The impact requires a local user to install and run a binary to gain access to another processes memory.
  • The issue is specifically isolated between the hardware architecture and operating system, which affects nearly every hardware vendor using modern processor technologies.
  • Guidance from our vendors indicate that the mitigation of these vulnerabilities will require updates from both Intel and RedHat.

Veritas is committed to the security and safety of its products, our customers, and most importantly, the data we protect. We have evaluated and determined our course of action at this time will be as follows:

  • NetBackup Appliance platforms including the 5340, 5330, 5240, and 5230 will be addressed via the next release, v3.1.1, which is planned for release in March 2018.
  • We are working with Intel to create a patch for the NetBackup Appliance 5220 model. We currently have a solution for two of the identified issues, and are evaluating options for the remaining issue.

We are continuing to evaluate and determine our options to provide hotfixes for earlier versions of NetBackup Appliance releases, based on availability of vendor patches and interoperability testing requirements and efforts with other hardware and software components bundled with the appliance platform. We will provide an additional update to this statement once we have identified a release timeline and patch strategy for our supported platforms beyond our current commitment of the 3.1.1 release.

Veritas Appliance Platforms that will not receive a patch or update:

  • Veritas 5020 and 5030 Target Deduplication Appliance platforms
    • These platforms run versions of SuSE SLES Linux that are beyond End of Support
  • Velocity 7330 Appliances
    • This platform runs a version of RHEL that RedHat is not providing an update to us
  • Backup Exec 3600 Series Appliances
    • These appliances may be able to receive a patch from Microsoft as they run Microsoft Storage Server 2008R2 as their base platform operating system

Veritas will not be providing patches for Appliance software OR hardware platforms that have reached their End of Support Life. For more information on Appliance EOSL, please visit https://www.veritas.com/support/en_US/article.100038921

It should be noted that the vulnerabilities are considered local only. A user must have local access on the appliance itself to execute these exploits. As always, it is good practice to ensure basic security measures are taken to minimize impact and mitigate risks. Veritas strongly recommends restricting access to critical backup infrastructure, including appliance using industry best practices for access control.

Regarding questions of a potential performance impact to Veritas Appliances.

At this time, the performance impact to the Appliance platform is still unknown. Veritas Engineering is working to determine any measurable performance impacts to our supported platforms and we will provide guidance only when we have established fact based data from our performance test group. The timeline to the completion of this work has not yet been identified, and is dependent on availability of the fixes from our vendors.

For more information on the vulnerabilities, and a statement from Intel, please review the following links:

https://meltdownattack.com/
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

Veritas will communicate any new and updated information as soon as we discover and verify the information.  Questions and comments are welcomed, and should be directed to Veritas Support.

Action Required

Continue to monitor this Alert for updates.  Veritas will provide additional communication updates via this Alert on patch strategy, availability, and timing of release to address these vulnerabilities.

Was this content helpful?

Get Support