Impact of Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715) on Veritas Velocity

Impact of Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715) on Veritas Velocity

  • Article ID:100042202
  • Last Published:
  • Product(s):Velocity

Severity

High

Description

Public security research has disclosed side-channel analysis vulnerabilities identified as "Meltdown" (CVE-2017-5754) and "Spectre" (CVE-2017-5753 & CVE-2017-5715) that impact products using x86 architecture, including Intel and other manufacturers' microprocessors.

What We Know

  • These vulnerabilities do not directly target Veritas software products

  • The Veritas Velocity Management Service is indirectly affected as it is hosted in Amazon Web Services (AWS). Amazon Web Services have already patched their underlying infrastructure as per their security bulletin: Processor Speculative Execution Research Disclosure

  • For the 7330 appliances, no patch is available from Redhat, so as stated in  ; the recommended mitigation is to control access to the appliance.

Veritas is committed to the security and safety of its products, our customers, and most importantly, the data we protect. We have evaluated and determined our course of action will be as follows:

  • As per the AWS recommendation in their security bulletin Veritas will be applying vendor specific patches to all our instances hosted in EC2.

  • Meltdown - CVE-2017-5754
    • Not all vendors currently have patches available for these vulnerabilities. As they become available we will apply these patches and update this tech-note with the schedule
    • This rollout will be completed as fixes become available.
  • Spectre - CVE-2017-5715 and CVE-2017-5753
    • Not all vendors currently have patches available for these vulnerabilities. As they become available we will apply these patches and update this tech-note with the schedule.

Action Required

Continue to monitor this tech-note for updates. Veritas will provide additional communication updates via this tech-note on patch strategy, availability, and timing of release to address these vulnerabilities.

 

Was this content helpful?