High Severity

IBM Storage — Meltdown/Spectre

Share this post:

Three security vulnerabilities that allow unauthorized users to bypass the hardware barrier between applications and kernel memory have been made public. These vulnerabilities all make use of speculative execution to perform side-channel information disclosure attacks. The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715, are collectively known as Spectre, and allow user-level code to infer data from unauthorized memory; the third vulnerability, CVE-2017-5754, is known as Meltdown, and allows user-level code to infer the contents of kernel memory. The vulnerabilities are all variants of the same class of attacks and differ in the way that speculative execution is exploited.

Product Impact

These vulnerabilities are present in many microprocessors, such as processors used by IBM Storage Appliances and IBM Storage Spectrum software running on servers, including IBM Elastic Storage Server systems. To exploit any of these vulnerabilities, an attacker must be able to run malicious code on an affected system.

IBM Storage Appliances are not impacted by this vulnerability, because unlike general purpose computing systems, they are closed systems and are designed to prevent users from loading and executing code other than code provided by IBM. Nonetheless, in an abundance of caution, IBM is evaluating firmware updates provided by the server and OS vendor(s) to IBM Storage Appliances.

In the case of IBM Cloud Object Storage systems, execution of non-IBM code is supported, but proper security credentials are required to install said code on the systems.  Cloud Object Storage systems updates to address these vulnerabilities are dependent on OS vendor(s) updates being released and will be provided on FixCentral when available.

IBM Cloud Object Storage software running in a shared virtual environment and IBM Storage Spectrum software running on servers, including IBM Elastic Storage Server system (which is not a closed system), must follow the guidelines established by the server and OS vendor(s).

Before installing patches from OS vendor(s) on Spectrum Scale and Elastic Storage Server system, please refer to the interoperability matrix here.

The IBM Spectrum Protect Plus software is shipped as a virtual machine image that contains its own OS distribution and the updates for this OS distribution should be applied following the procedures outlined here.  This is in addition to following the guidelines established by the server and OS vendors for the servers that host the IBM Spectrum Protect Plus image.

For all IBM storage products, we recommend implementing any firmware and OS updates in accordance with your normal procedures.

IBM currently has no knowledge of any adverse use of the vulnerabilities that are described in this advisory.

More High Severity stories

IBM Security Bulletin: Vulnerability in strongswan affects QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter

Jun 16, 2019 9:01 am EDT | Medium Severity

The following vulnerability in strongswan has been addressed by QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter: CVE(s): CVE-2018-10811 Affected product(s) and affected version(s): Product Affected Version QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter Firmware Update 7.10 Refer to the following reference URLs for remediation and ...read more


IBM Security Bulletin: Vulnerabilities in OpenSSL and strongswan affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru

Jun 16, 2019 9:00 am EDT | Medium Severity

The following vulnerabilities in OpenSSL and strongswan have been addressed by IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru. CVE(s): CVE-2018-0739, CVE-2018-10811 Affected product(s) and affected version(s): Product Affected Version IBM Flex System FC3171 8Gb SAN Switch and IBM Flex System FC3171 8Gb SAN Pass-thru Firmware Update 9.1 Refer to the following reference ...read more


IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX

Jun 15, 2019 9:01 am EDT | High Severity

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 8.0.5.25, 8.0.5.20, and 7.0.10.30, used by IBM Sterling Connect:Direct for UNIX. IBM Sterling Connect:Direct for UNIX has addressed the applicable CVEs. CVE(s): CVE-2018-12547, CVE-2018-1890 Affected product(s) and affected version(s): IBM Sterling Connect:Direct for Unix 6.0.0 IBM Sterling Connect:Direct for Unix 4.3.0 IBM Sterling Connect:Direct for ...read more