Security Bulletin: Aspera Products and the Meltdown and Spectre vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)

Summary

The industry-identified CPU vulnerabilities known as "Meltdown" and "Spectre" affect software products from all vendors, running in all environments across CPU types and OSs. While the vulnerabilities (and the remedies) are at the OS and CPU level and are not specific to IBM Aspera software, systems should be updated with the industry-specified remediations as they become available from OS providers.

Vulnerability Details 

"Meltdown":

  • CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

  • https://meltdownattack.com

 "Spectre":

  • CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753

  • CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

Affected Products and Versions

All software applications from any vendor may be impacted until the OS that they are running on is updated according to instructions from the OS vendor.

Remediation/Fixes - Meltdown

IBM Aspera On Demand products

On Demand images provided by IBM Aspera have CentOS bundled into them and should be updated through the following steps:

On AWS:

  1. You may want to create a copy of your current instance as a backup. To do so:
        Log in to AWS Console.
        Select the desired instance.
        Go to:  Action > Image > Create Image

  2. Connect to your server from a terminal via SSH as root:
        # ssh -i [customer's perm] -p 33001 ec2-user@[ec2 host IP]
        # sudo su –

  3. Note down your current kernel version:
        # uname -r

  4. Install the patch:
        # yum update kernel 

  5. Reboot your server:
        # sudo reboot

  6. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64:
        # uname -r

On IBM Cloud (Softlayer):

  1. Connect to your server from a terminal via SSH as root:
        #  ssh centos@[host_IP_address] 
        #  sudo su –

  2. Note down your current kernel version
        # uname -r

  3. Install the patch   
        # yum update kernel  

  4. Reboot your server
        # sudo reboot

  5. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64   
        # uname -r

These update steps should be applied to any version up through and including:

  • Application Platform On Demand (APOD) - v3.7.3
  • Server On Demand (SOD) - v3.7.3
  • Shares On Demand (SHOD) - v3.7.3
  • Faspex On Demand (FOD) – v3.7.3
  • Aspera Transfer Cluster Manager (ATCM) - v1.2.4

Aspera will be providing updated images on all cloud platforms soon; until then, please use the update steps above for your current images. This bulletin will be updated to point to those updated images when they are available.

IBM Aspera on-premise products

The OS beneath all on-premise products should be updated with the OS vendor’s remediation as soon as it is available, using instructions provided by the vendor.

IBM Aspera SaaS products

Cloud providers that host Aspera SaaS services are rapidly updating the OS and underlying software components as updates become available from the respective vendors.

As of this bulletin writing, the status of applying the Meltdown remediation on Aspera SaaS products is:

  • IBM Cloud – done
  • AWS – done
  • Azure – done
  • Google Cloud – done

Any Aspera SaaS subscribers who need further explanation, please contact Aspera Support (email support@asperasoft.com to make the request).

Remediation/Fixes - Spectre

As of this bulletin writing, no OS vendors have yet made remedies available for the Spectre exploit. Fortunately, the Spectre exploit is difficult to accomplish. As OS vendors make available remedies, they should be applied immediately to any OS running beneath Aspera software, and Aspera will immediately apply them in its SaaS offerings and On Demand images.

 

Change History

Updated 8 Jan 2018

5 Jan 2018

0 Comments

Please sign in to leave a comment.
Powered by Zendesk