Security Bulletin: IBM Cloud Private has released a patch in response to the vulnerabilities known as Spectre and Meltdown(CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754)

Summary

On Wednesday, January 3, 2018, researchers announced a security vulnerability known as Spectre and Meltdown. These security vulnerabilities are being tracked across three security advisories: CVE-2017-5753, CVE-2017-5715, CVE-2017-5754. Additional details can be found at this link.

IBM has analyzed these vulnerabilities for IBM Cloud Private as well as the IBM Cloud Foundry platform and IBM Cloud Automation Manager, which run as workloads on IBM Cloud Private, and released the following guidance.

IBM Cloud Private is an application platform that is installed on customer provided virtual machines and operating systems. The operating systems may need to be patched according to vendor instructions but IBM Cloud Private itself does not require patching.

IBM Cloud Automation Manager (CAM) runs as containers in IBM Cloud Private and will also not require patching. The operating systems for the running IBM Cloud Private nodes may need to be patched as mentioned above.

IBM Cloud Foundry Platform will need to be patched with the latest fix pack.

Vulnerability Details

CVEID: CVE-2017-5753**
DESCRIPTION:** Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a bounds check bypass in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cross the syscall boundary and read data from the CPU virtual memory.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137052 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)

CVEID: CVE-2017-5754**
DESCRIPTION:** Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a rogue data cache load in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cause the CPU to read kernel memory from userspace before the permission check for accessing an address is performed.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137053 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2017-5715**
DESCRIPTION:** Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a branch target injection in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to leak memory contents into a CPU cache and read host kernel memory.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137054 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

IBM Cloud Private 2.1.0.0-2.1.0.1

Workarounds and Mitigations

IBM Cloud Private:

IBM Cloud Private does not provide the operating system on which it is deployed. The customer should patch all virtual machines where IBM Cloud Private is or will be installed according to vendor instructions. This would include all the virtual machines that contain Master, Worker, Management and Proxy nodes.

Instructions for patching existing Virtual Machines:

1. Log onto the virtual machine and update the operating system following the instructions for your specific operating system. Note: A reboot is required for the patch to work.

RedHat: https://access.redhat.com/security/vulnerabilities/speculativeexecution

Ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

IBM Cloud Automation Manager Containers:

IBM Cloud Automation (CAM) runs as containers in IBM Cloud Private and will not require patching. The operating systems for the running IBM Cloud Private nodes may need to be patched as mentioned above.

After restarting all patched Master, Worker, Management and Proxy ICP nodes, CAM may also require a restart of the interface microservices.

To restart CAM interface microservices refer to these instructions https://www.ibm.com/support/knowledgecenter/en/SS2L37_2.1.0.1/cam_restart_icp.html

Instructions for patching existing Virtual Machines:

1. Log onto the virtual machine and update the operating system following the instructions for your specific operating system. Note: A reboot is required for the patch to work.

RedHat: https://access.redhat.com/security/vulnerabilities/speculativeexecution

_ _Ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

2. For content runtime VMs, after restarting the virtual machine, execute the following command to restart your docker containers:

cd /root/advanced-content-runtime; ./launch-docker-compose.sh

Instructions for new Virtual Machine Deployments

1. The latest updates to the IBM-provided templates are in GitHub and will be used when deploying.

2. If you have used the Clone IBM-AutomationContentHub and IBM-CAMHub-Open template to clone your templates, it is recommended that you pull the latest versions of those templates.

3. VMWare: Update your operating system templates to include the fixes from the operating system vendors.

4. IBM/AWS: If you are not using the latest operating system template, update your reference to point to an operating system that has the kernel patch.

IBM Cloud Foundry platform:

Customers using the IBM Cloud Private Cloud Foundry platform will need to upgrade their environments to the latest fix pack in Fix Central. The fix can be found in Fix Central here: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-2.1.0.1-build482434&includeSupersedes=0.

See the readme associated with that fix for instructions on how to install.

Possible Impacts

The operating system vendors have documented that the patches that mitigate the attacks described in these vulnerabilities may impact system performance. The amount of impact will depend upon the specific system, make, and model of the microprocessors, as well as the characteristics of the workloads. Please refer to the operating system vendor documentation that describes these impacts and available options to mitigate these impacts.

**