Spectre and Meltdown Vulnerabilities
Public News | 10 January 2018
What are Spectre and Meltdown?
On 3rd January 2018, two major security vulnerabilities were revealed, called Spectre and Meltdown. These vulnerabilities were found to exploit a design flaw in processors, a piece of hardware that is used in computerised devices, putting users' data at risk.
Is my intranet affected?
Like desktop computers, servers use processors to function. This means that any website that's hosted on a server - including Claromentis intranets - will be at risk to the Spectre and Meltdown vulnerabilities.
What actions are Claromentis taking?
At Claromentis we take security seriously. We have taken swift action to ensure that the risks posed by Spectre and Meltdown are minimised as much as possible.
The action we have taken will differ depending on your type of intranet hosting package.
SaaS (Cloud hosted) ClientsOperating System actions
- A RedHat/CentOS patch has been applied to the CentOS mirrors (we used Centos 7 across all of our servers) that patches all three vulnerabilities - CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715.
- We've updated all of our servers to the latest CentOS kernel (3.10.0-693.11.6.el7.x86_64) that includes the above patches and rebooted.
- We have performed checks to ensure all VMs (virtual machines) are now on this patched kernel version.
Cloud Infrastructure/Hardware actions
- Google have already patched the underlying infrastructure as they have known about these vulnerabilities since June 2017.
- The Claromentis SaaS platform is built on Google Compute Engine, which is already patched. You can see confirmation of this here.
Will performance be affected?
There has been some talk in the media that the patches will cause a considerable performance impact. However Google have found that the performance impact is negligible. Please see 'Is performance impacted' in this Google blog post. We'll follow this up with performance testing of our own, but the first priority is of course security.
What will happen next?
There is no further action required from either the client or Claromentis. However, we want to let you know that RedHat are set to release a script that will diagnose vulnerability and once this script is released, we'll run this on the servers as a secondary check to ensure that the patched kernel has resolved the vulnerability. We like to be safe!
Client hosted intranets
If you host your Claromentis intranet within your own network, then your IT team will need to take the necessary steps to patch both the OS and underlying infrastructure, as this is not controlled by Claromentis.
See the guide here for advice on how to patch Windows servers.
See the guide here on how to patch RedHat/CentOS servers (click on 'resolve' for further guidance).
We're more than happy to provide advice - if you're unsure what to do, please submit a support ticket.