Veritas Appliance Statement on Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715)

  • Article ID:100041496
  • Last Published:
  • Product(s):Appliances

Severity

High

Description

Public security research has disclosed side-channel analysis vulnerabilities identified as "Meltdown" (CVE-2017-5754) and "Spectre" (CVE-2017-5753 & CVE-2017-5715) that impact products using x86 architecture, including Intel and other manufacturers' microprocessors.

What we know

  • These vulnerabilities do not directly target Veritas software products
  • Veritas Appliances are affected because the hardware platform uses Intel components. The impact requires a local user to install and run a binary to gain access to another processes memory.
  • The issue is specifically isolated between the hardware architecture and operating system, which affects nearly every hardware vendor using modern processor technologies
  • Guidance from our vendors indicate that the mitigation of these vulnerabilities will require updates from both Intel and RedHat

Veritas is committed to the security and safety of its products, our customers, and most importantly, the data we protect. We have evaluated and determined our course of action at this time will be as follows:

All current supported NetBackup Appliance platforms including the 5340, 5240, 5330, 5230, 5220, and Virtual Appliances will address Variant 1 (Spectre, CVE-2017-5753) and Variant 3 (Meltdown, CVE-2017-5754) via the next software release, v3.1.1, which is planned for GA release on March 5th, 2018.

Veritas has decided to discontinue plans to produce a 2.7.3.1 release due to the low CVSS score, low exploitability, and other factors. Veritas strongly advises customers to upgrade to v3.1.1 if they require remediation

It should be noted that the vulnerabilities are considered local only. A user must have local access on the appliance itself to execute these exploits. As always, it is good practice to ensure basic security measures are taken to minimize impact and mitigate risks. Veritas strongly recommends restricting access to critical backup infrastructure, including appliance using industry best practices for access control.

The remaining Variant 2 (CVE-2017-5715) can only be addressed via a microcode update from Intel. We are still waiting for patches and BIOS updates, and do not have an ETA for all affected platforms.

Veritas Appliance Platforms that will not receive a patch or update:

  • Veritas 5020 and 5030 Target Deduplication Appliance platforms
    • These platforms run versions of SuSE SLES Linux that are beyond End of Support
  • Velocity 7330 Appliances
    • This platform runs a version of RHEL that RedHat is not providing an update to us
  • Backup Exec 3600 Series Appliances
    • These appliances may be able to receive a patch from Microsoft as they run Microsoft Storage Server 2008R2 as their base platform operating system

Veritas will not be providing patches for Appliance software OR hardware platforms that have reached their End of Support Life. For more information on Appliance EOSL, please visit https://www.veritas.com/support/en_US/article.100038921

Performance Impact Update
After thorough testing and evaluation, Veritas has determined no performance impact or degradation to all appliance platforms in conjunction with Variants 1 & 3. Veritas is still waiting for new microcode from Intel for all supported platforms, and thus will carry out additional performance testing specific to Variant 2.

For more information on the vulnerabilities, and a statement from Intel, please review the following links:

https://meltdownattack.com/
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

Veritas will communicate any new and updated information as soon as we discover and verify the information.  Questions and comments are welcomed, and should be directed to Veritas Support.

Action Required

Continue to monitor this Alert for updates.  Veritas will provide additional communication updates via this Alert on patch strategy, availability, and timing of release to address these vulnerabilities.

Was this content helpful?

Get Support