Dell EMC, IBM, and other storage companies chime in on Spectre and Meltdown
Storage arrays, whether or not immediately hooked up or configured as NAS or SAN, should not proof against the Meltdown and Spectre safety bugs. Arrays include servers often called controllers, and these servers have their fair proportion of commodity microprocessors the place the bugs wish to make properties.
TechRepublic polled Dell EMC, IBM, Hewlett Packard Enterprise, NetApp, and Vantara (previously Hitachi Data Systems). Each firm supplied an official assertion or posted one on their website.
Of course, this impacts cloud storage too.
SEE: Intrusion detection coverage (Tech Pro Research)
The hyperlink to the information safety safety advisory is accessible solely by clients, however the public model of that advisory may be discovered right here. Some of this info was supplied to me by Dell EMC in an electronic mail.
“For Spectre/Meltdown: Because we’re a giant person of Intel and AMD chipsets, Dell is at the moment present process a portfolio-wide impression evaluation of our merchandise. We’ll be cascading out info comparable to lists of particular merchandise which might be affected, together with hyperlinks to patches/fixes/updates to merchandise as our safety and engineering groups make these obtainable. At the second we’re unable to provide a timetable for patch/repair/replace availability for any particular product. We’re asking our clients to verify the hyperlinks under typically as we’ll be making updates to those day by day.
Dell is conscious of the side-channel evaluation assaults (also called Meltdown and Spectre) affecting many trendy microprocessors. We are working with Intel and others in the business to deal with the problem. For extra info on affected platforms and subsequent steps, please consult with the next sources. They shall be up to date frequently as new info turns into obtainable.”
• Dell EMC Storage and Data Protection merchandise http://support.emc.com/kb/516117 (buyer accessible solely)
• Dell EMC Server, Legacy Dell Storage & Networking product http://www.dell.com/support/article/SLN308588
• Dell Client merchandise http://www.dell.com/support/article/SLN308587
• RSA merchandise https://community.rsa.com/docs/DOC-85418 (buyer accessible solely)
• Former VCE merchandise http://support.vce.com/kA2A0000000PHXB (buyer accessible solely)
• VMware https://www.vmware.com/security/advisories/VMSA-2018-0002.html
IBM posted a press release on its website:
“Google has introduced a widespread CPU architectural situation probably impacting system safety. More info may be discovered in Google’s disclosure https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
IBM is working with our shoppers and business companions on this situation, which has the potential to have an effect on many kinds of computing gadgets from completely different producers. It’s essential to notice there aren’t any identified instances the place this vulnerability has been used maliciously.
Patches shall be made obtainable for IBM programs by way of our regular buyer portals. Further particulars regarding probably impacted processors in the POWER household may be discovered right here. Per our enterprise as traditional course of, all info for IBM Z shoppers may be discovered on the IBM Z Portal.
IBM Storage home equipment should not impacted by this vulnerability.
Additional info shall be supplied by means of regular IBM communications channels, together with IBM Security Bulletins. Please actively monitor each your IBM Support Portal and the IBM PSIRT Blog.
The most quick motion shoppers can take to guard themselves is to stop execution of unauthorized software program on any system that handles delicate knowledge, together with adjoining digital machines.
We will proceed to replace this weblog to incorporate extra info as acceptable.”
For more moderen details about IBM’s response, learn this text on TechRepublic sister website ZDNet: Meltdown-Spectre: IBM preps firmware and OS fixes for susceptible Power CPUs.
Hewlett Packard Enterprise
“HPE has been informed about an issue that affects certain microprocessors. The security of HPE products is our top priority and we have worked with our operating system and microprocessor partners to develop updates to resolve this issue for the most common OS versions and current HPE server generations, with additional resolutions to come. Customers can find a list of impacted products on the HPE vulnerability website and instructions on how to download the resolutions in the HPE Security Bulletin, or talk to their HPE representative.”
“ONTAP is not susceptible to either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system. ONTAP is a closed system that does not provide mechanisms for running third-party code. Due to this behavior, the same is true of all ONTAP variants including both ONTAP running on FAS/AFF hardware as well as virtualized ONTAP products such as ONTAP Select and ONTAP Cloud. NetApp has advised hypervisor customers to work with their cloud platform vendors to ensure that their ONTAP product is running on a secure and patched platform.”
SEE: Essential studying for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
“Vantara is aware of the recently published research detailing vulnerabilities that involve the abuse of speculative execution known as Meltdown and Spectre. Our engineers are working with our HW and SW partners (suppliers) to fully assess the impact and implications of this issue. We have not received any information to indicate these vulnerabilities have impacted any of our customers to-date, and our initial assessment is they would require a high level of sophistication to exploit. We are actively—and will continue—delivering updates to our customers as the situation develops and more information becomes available.”