IBM Storage — Meltdown/Spectre

Share this post:

Three security vulnerabilities that allow unauthorized users to bypass the hardware barrier between applications and kernel memory have been made public. These vulnerabilities all make use of speculative execution to perform side-channel information disclosure attacks. The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715, are collectively known as Spectre, and allow user-level code to infer data from unauthorized memory; the third vulnerability, CVE-2017-5754, is known as Meltdown, and allows user-level code to infer the contents of kernel memory. The vulnerabilities are all variants of the same class of attacks and differ in the way that speculative execution is exploited.

Product Impact

These vulnerabilities are present in many microprocessors, such as processors used by IBM Storage Appliances and IBM Storage Spectrum software running on servers, including IBM Elastic Storage Server systems. To exploit any of these vulnerabilities, an attacker must be able to run malicious code on an affected system.

IBM Storage Appliances are not impacted by this vulnerability, because unlike general purpose computing systems, they are closed systems and are designed to prevent users from loading and executing code other than code provided by IBM.  Nonetheless, in an abundance of caution, IBM is evaluating firmware updates provided by the server and OS vendor(s) to IBM Storage Appliances.

IBM Storage Spectrum software running on servers, including IBM Elastic Storage Server system (which is not a closed system), must follow the guidelines established by the server and OS vendor(s).

For all IBM storage products, we recommend implementing any firmware updates in accordance with your normal procedures.

IBM currently has no knowledge of any adverse use of the vulnerabilities that are described in this advisory.

from IBM Product Security Incident Response Team http://ift.tt/2DiBUvZ