Question

Security Bulletin: Aspera Products and the Meltdown and Spectre vulnerabilities (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)

Answer

Summary

The industry-identified CPU vulnerabilities known as “Meltdown” and “Spectre” affect software products from all vendors running in all environments across CPU types and OSs. While the vulnerabilities (and the remedies) are at the OS and CPU level and are not specific to IBM Aspera software systems should be updated with the industry-specified remediations as they become available from OS providers.

Vulnerability Details

“Meltdown”:

• CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

https://vulners.com/cve/CVE-2017-5754
?

• <https://meltdownattack.com>
  ?

“Spectre”:

• CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

https://vulners.com/cve/CVE-2017-5753
?

• CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

https://vulners.com/cve/CVE-2017-5715
?

• <https://spectreattack.com>
  ?

Affected Products and Versions

All software applications from any vendor may be impacted until the OS that they are running on is updated according to instructions from the OS vendor.

Remediation/Fixes - Meltdown

IBM Aspera On Demand products

On Demand images provided by IBM Aspera have CentOS bundled into them and should be updated through the following steps:

On AWS:

1. You may want to create a copy of your current instance as a backup. To do so:
   Log in to AWS Console.
   Select the desired instance.
   Go to:Action > Image > Create Image
   ?
2. Connect to your server from a terminal via SSH as root:
   # ssh-i[customer's perm] -p 33001 ec2-user@[ec2 host IP] # sudo su ``
   ?
3. Note down your current kernel version:
   #uname-r
   ?
4. Install the patch:
   # yum update kernel
   ?
5. Reboot your server:
   # sudo reboot
   ?
6. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64:
   #uname-r

On IBM Cloud (Softlayer):

1. Connect to your server from a terminal via SSH as root:
   `#sshcentos@[host_IP_address]

sudo su `

?
2. Note down your current kernel version
#uname-r
?
3. Install the patch
# yum update kernel
?
4. Reboot your server
# sudo reboot
?
5. Verify your new kernel version is at least 3.10.0-693.11.6.el7.x86_64
#uname-r

These update steps should be applied to any version up through and including:

• Application PlatformOnDemand (APOD) - v3.7.3
• ServerOnDemand (SOD) - v3.7.3
• SharesOnDemand (SHOD) - v3.7.3
• Faspex On Demand (FOD) v3.7.3
• Aspera Transfer Cluster Manager (ATCM) - v1.2.4

Aspera will be providing updated images on all cloud platforms soon; until then please use the update steps above for your current images. This bulletin will be updated to point to those updated images when they are available.

IBM Asperaon-premiseproducts

The OS beneath allon-premiseproducts should be updated with the OS vendors remediation as soon as it is available using instructions provided by the vendor.

IBM Aspera SaaS products

Cloud providers that host Aspera SaaS services are rapidly updating the OS and underlying software components as updates become available from the respective vendors.

As of this bulletin writing the status of applying the Meltdown remediation on Aspera SaaS products is:

• IBM Cloud done
• AWS done
• Azure done
• Google Cloud done

Any Aspera SaaS subscribers who need further explanation please contact Aspera Support (email [email protected] to make the request).

Remediation/Fixes - Spectre

As of this bulletin writing no OS vendors have yet made remedies available for the Spectre exploit. Fortunately the Spectre exploit is difficult to accomplish. As OS vendors make available remedies they should be applied immediately to any OS running beneath Aspera software and Aspera will immediately apply them in its SaaS offerings andOn Demand images.

Change History

Updated 8 Jan 2018

5 Jan 2018

[{“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SS8NDZ”,“label”:“IBM Aspera”},“Component”:“”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Versions”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]