Overview
Meltdown and Spectre are the names of two serious security flaws that have been found within computer processors. They could allow hackers to steal sensitive data without users knowing.
Meltdown (CVE-2017-5754)
- Can be exploited to read the contents of private kernel memory from an unprivileged user process.
- Affects all out-of-order Intel processors released since 1995 with the exception of Itanium and pre-2013 Atoms. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.
Spectre (CVE-2017-5753, CVE-2017-5715)
- Can be exploited to extract information from other running processes (ex: stealing login cookies from browsers).
- Affects all Intel, ARM, and AMD processors to some degree.
UCX Exposure
Restricted access to 3rd party software
To exploit these vulnerabilities, an attacker would have to run their executable code on the UCX Server. E-MetroTel is very restrictive when it comes to the installation/execution of 3rd party software on UCX systems for security and supportability reasons (i.e. the UCX software platform is effectively a closed controlled environment). This E-MetroTel policy is by itself the first level of defense.
Virtualization library not installed
A virtualization library installed on a Linux system would make such exploits easier. The library has no useful purpose on UCX and thus is not installed. Without the library, the scope of possible exploits is reduced.
Updated Linux Kernel
An updated Linux kernel with a fix for these exploits has been released by RedHat on 2017 Dec 28. The changes were propagated to CentOS on 2018 Jan 4. For UCX systems that are configured to use public repositories, the kernel was available to them on 2018 Jan 4. E-MetroTel tested the CentOS kernel and released it into the E-MetroTel internal CentOS repository on 2018 Jan 5. For UCX systems that are configured to use only E-MetroTel repositories, the kernel was available to them on 2018 Jan 5.