Veritas Appliance Statement on Meltdown (CVE-2017-5754), Spectre (CVE-2017-5753 & CVE-2017-5715), and Spectre-NG (CVE-2018-3640 & CVE-2018-3639)
Public security research has disclosed side-channel analysis vulnerabilities identified as "Meltdown" (CVE-2017-5754), "Spectre" (CVE-2017-5753 & CVE-2017-5715), and "Spectre-NG" (CVE-2018-3640 & CVE-2018-3639) that impact products using x86 architecture, including Intel and other manufacturers' microprocessors.
What we know
- These vulnerabilities do not directly target Veritas software products
- Veritas Appliances are affected because the hardware platform uses Intel components. The impact requires a local user to install and run a binary to gain access to another processes memory.
- The issue is specifically isolated between the hardware architecture and operating system, which affects nearly every hardware vendor using modern processor technologies
- Guidance from our vendors indicate that the mitigation of these vulnerabilities will require updates from both Intel and RedHat
Veritas is committed to the security and safety of its products, our customers, and most importantly, the data we protect. We have evaluated and determined our course of action at this time will be as follows:
- All current supported NetBackup Appliance platforms including the 5340, 5240, 5330, 5230, 5220, and Virtual Appliances addressed Variant 1 (Spectre, CVE-2017-5753) and Variant 3 (Meltdown, CVE-2017-5754) in the software release v3.1.1.
- Veritas has decided to discontinue plans to produce a 184.108.40.206 release due to the low CVSS score, low exploitability, and other factors. Veritas strongly advises customers to upgrade to v3.1.1 if they require remediation.
- It should be noted that the vulnerabilities are considered local only. A user must have local access on the appliance itself to execute these exploits. As always, it is good practice to ensure basic security measures are taken to minimize impact and mitigate risks. Veritas strongly recommends restricting access to critical backup infrastructure, including appliance using industry best practices for access control.
- Variant 2 (CVE-2017-5715) can be addressed by Veritas with an EEB for appliances that use software versions 3.1.1 and 3.1.2. See the following link for details and to obtain the EEBs:https://www.veritas.com/support/en_US/article.100043541.html
- Variant 3a (CVE-2018-3640) can only be addressed with a microcode update from Intel. Veritas is still waiting for Intel to release a production version, and we do not have an ETA. Variant 3a is a low-impact vulnerability.
- Variant 4 (CVE-2018-3639) can be addressed by Veritas with an update to kernel version 3.10.0-862.3.2. This update is currently planned for a future release.
Veritas Appliance Platforms that will not receive a patch or update:
- Veritas 5020 and 5030 Target Deduplication Appliance platforms
- These platforms run versions of SuSE SLES Linux that are beyond End of Support
- Velocity 7330 Appliances
- This platform runs a version of RHEL that RedHat is not providing an update to us
- Backup Exec 3600 Series Appliances
- These appliances may be able to receive a patch from Microsoft as they run Microsoft Storage Server 2008R2 as their base platform operating system
Veritas will not be providing patches for Appliance software OR hardware platforms that have reached their End of Support Life. For more information on Appliance EOSL, please visit https://www.veritas.com/support/en_US/article.100038921
Performance Impact Update
After thorough testing and evaluation, Veritas has determined no performance impact or degradation to all appliance platforms in conjunction with Variants 1 & 3. Further details about Variant 2 will be available when the EEB is released.
For more information on the vulnerabilities, and a statement from Intel, please review the following links:
Veritas will communicate any new and updated information as soon as we discover and verify the information. Questions and comments are welcomed, and should be directed to Veritas Support.
Continue to monitor this Alert for updates. Veritas will provide additional communication updates via this Alert on patch strategy, availability, and timing of release to address these vulnerabilities.
Was this content helpful?
Rating submitted. Please provide additional feedback (optional):