Advisory for Spectre and Meltdown

Advisory ID: Compuverde-20180129-1
First Published: 2018-01-30 8:00 GMT
Last Updated: 2018-01-30 8:00 GMT
Version: 0.1
Workarounds: No
Compuverde Bug IDs:  

 

Summary:

The security vulnerabilities that allow unauthorized users to bypass the hardware barrier between applications and kernel memory, collectively known as Spectre (designated as CVE-2017-5753 and CVE-2017-5715) and Meltdown (designated as CVE-2017-5754), have been made public. The vulnerabilities are significant, since an exploit could allow attackers to gain unauthorized access to sensitive data.

An exploit would require an attacker to gain access to the targeted computer (or server) via a prior step, such as running a malicious application on it. Thus, the one immediate action clients can take to protect themselves is to prevent execution of unauthorized software on any system that handles sensitive data, including adjacent virtual machines.

Compuverde storage nodes are not general-purpose computers where users are able to log on to execute applications. For this reason, the exposure of vulnerability in Compuverde is limited. Nonetheless, Compuverde will provide firmware updates for users to install on all Compuverde storage nodes.

In addition, users are advised to update all parts of the storage environment according to respective vendor’s instructions, including computers running the Compuverde management tool, servers used for authentication, authorization, antivirus, etc. For a hyper converged deployment of Compuverde, all patches for the appropriate hypervisor layer need to be put in place to ensure protection of the Compuverde virtual environment.

Compuverde currently has no knowledge of any adverse use of the vulnerabilities that are described in this advisory.

Details:
Spectre (designated as CVE-2017-5753 and CVE-2017-5715) and Meltdown (designated as CVE-2017-5754)

Vulnerable products:
All Compuverde versions prior to 1.7.0.0-299 or where the installed kernel version is below version 4.9.76.

Product confirmed not vulnerable:

 

Workarounds:
N/A

Fixed software:
Updates will be provided as they are processed through QA and deployed.

Revision history:

Version Description Section Status Date
0.1 First version All Preliminary 2018-01-30
Top