Feb 15, 2018 3:26 pm EST
Categorized: High Severity
Share this post:
On Wednesday, January 3, researchers announced a security vulnerability known as Spectre and Meltdown.
On the IBM Cloud, available vendor patches have been applied. These vendor patches across different layers, e.g. firmware, hypervisors, operating systems, software and driver vendors, etc. are regularly being monitored, tested and applied as they become available.
The security vulnerabilities, known as Meltdown and Spectre, are being tracked across three security advisories: CVE-2017-5753, CVE-2017-5715, CVE-2017-5754. Additional details can be found at this link.
At the Infrastructure Layer
Virtual Server Instances (VSIs)
The IBM Cloud infrastructure and hypervisor (that isolates client VSIs from each other) are both up to date with the latest vendor patches currently available. Variants 1 and 2 have been mitigated with the latest vendor updates on our Cloud Host platform. Maintenance occurred January 5 through January 8 to apply these patches.
We recommend that clients keep the operating system on their VSIs up to date and we strongly advise testing before applying the patches. As vendors make these images available, IBM Cloud Operations will test the image, build the package for consumption, and send notifications to clients currently using those images via the customer portal. For the latest updates to our operating system images, please see OS Images section below. Clients also can access these patches directly from the operating system vendors.
The IBM Cloud has a robust vulnerability management program. This vulnerability management program has been and continues to be reviewed as part of the IBM One Cloud compliance efforts including FFIEC, FedRAMP and PCI.
Bare Metal Servers
By definition, the Bare Metal server offering is controlled by a known tenant and has less opportunity for exploitation than one that has multiple tenants. That isolation provides a level of control on behalf of the user, as well as flexibility in applying patches as they become available or coordinating a single outage.
For this environment, clients will receive notifications as firmware and software fixes become available from our vendors. For firmware patches, we will validate within the IBM Cloud platform, and then push the code to applicable bare metal servers to make it available for download. Please watch for these updates and instructions as they become available in the client control portal.
We are proactively working with our vendors to keep our publicly available images up to date with the vendor patches for Spectre and Meltdown. At this time, each of our operating system vendors has provided patches, and these are available for new image provisions. Patches also may be found and applied directly from the vendor’s website. Clients are advised to check for further patches and updates regularly.
- Debian –7.x, 8.x and 9.x have been updated since 17 Jan 2018
- Windows –2012 and 2016 server versions have been updated since 10 Jan 2018
- Ubuntu –14.04 and 16.06 have been updated since 29 Jan 2018
- CentOS –6.x and 7.x have been updated since 20 Jan 2018
- RHEL –6.x and 7.x have been updated since 30 Jan 2018
- SuSE –12 SP2 and 13 have been updated since 20 Jan 2018
VMware has to date released vSphere patches for CVE-2017-5753 and CVE-2017-5715, summarized in advisory VMSA-2018-0002. These patches are available from the VMware Product Patches site. IBM Cloud documentation has details on the applicability of these patches for our VMware Cloud Foundation (VCF), VMware vCenter Server (VCS), and VMware vSphere Server (VSS) offerings.
IBM Container Service
We have released an updated image for clients to patch their environments. Get further instructions. Also starting two weeks ago, the kernels for all VMs that run Kubernetes worker nodes were updated with available patches. We will continue to apply vendor patches as they become available.
IBM Cloud Foundry Updates
We have successfully completed updating the IBM Cloud Foundry Platform public environments with all available patches and will continue to apply vendor patches as they become available. Dedicated and local customers should contact support or their CSM for status updates on the patching. Also as stated in the IBM Container Service section above, the kernels for all VMs that run Kubernetes worker nodes were updated with available patches. We will continue to apply vendor patches as they become available.
Watson Data Platform Layer
Under Watson Data Platform, the following services have reviewed and applied the available bare metal, OS, and VSI patches:
- Analytics Engine has been updated since 21 Jan 2018
- Spark has been updated since 11 Jan 2018
- Data Connect has been updated since 12 Jan 2018
- Big Insights on Cloud Enterprise has been updated since 31 Jan 2018
- Data Science Experience
- RStudio has been updated since 26 Jan 2018
- Canvas has been updated since 16 Jan 2018
- Watson Machine Learning
- Service API has been updated since 24 Jan 2018
- Predictive Analytics has been updated since 1 Feb 2018
- Services running in Cloud Foundry do not require additional updates:
- Data Catalog
- Machine Learning Visualization
The most immediate action clients can take to protect themselves is to prevent execution of unauthorized software on any system that handles sensitive data, including adjacent virtual machines.
Please actively monitor both your IBM Support Portal and the IBM PSIRT Blog for latest updates.