Do we have any release plan against the latest microprocessor vulnerability(Meltdown/Spectre) ?
See the following KB article:
000035890 - Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on RSA products
Are there any specific plans and action per product?
With regard to the KB article; there is a link in there for 'other Dell products' - which links to a page on Dell's site, which includes instructions for updating the BIOS of server hardware used in RSA hardware appliances to a newly released version.
Is this considered a recommended action by RSA? Or should we advise customers to await more information?
I can see an updated Linux kernel coming in a patch for AuthManager, but a new version of BIOS software...not so much.
I'm asking as we have customer reading this KBs etc. and putting 2 and 2 together.
(I hope nobody minds but I asked this question on another thread as well here )
We do have 2 new Dell Appliances and 3 older versions as well.
Since RSA supplies the appliances which includes the hardware I would say that it is RSA’s responsibility to advise and test patching to ensure that no new issues are introduced or encountered.
We could all individually do the research but to me when we purchase hardware and software from a vendor we usually look to them for recommendations, especially when it relates to security software.
January 31st, 2018 Let’s Talk, text and tweet for mental health!
Sadly, the KB link isn't working for me and I get an 'unauthorized' page. We're running two virtual appliances and I'd like to understand the impact of Spectre/Meltdown and if our appliances are affected. Any suggestions?
I can't speak for RSA- they are I think still testing and assessing the impact on their products, but from what I've read these issues are a result of physical processor architecture flaws (so you;re on better footing if your machines are virtualized), but the hypervisor running the VMs is still vulnerable (and theoretically protected memory for one VM can be read by another...) .
I'd take a look at these blog posts by VMware:
Meltdown and Spectre: VMware products - vInfrastructure Blog
Meltdown and Spectre: 2018 starts with a patch. | Blog Linoproject.net
As for why you cant see the RSA KB article, I'm afraid I can't help. Just checked and I can still see it (but you have to be logged in to read it).
Hope that's something to go on. *I am not an expert*
Actually I stand corrected - the KB has been updated! It doesn't give confirmation for virtual appliances, but it does say that as the hardware appliances are " single-user, root-user-only" systems, an exploit would need admin privs to your device to leverage these vulnerabilities.
Extrapolating from that; VM appliance is also " single-user, root-user-only", so should be equally not vulnerable (but the hypervisor still would be).
(hope its OK to paraphrase the KB here in the forums)
Thanks for that. I can't understand why the KB isn't publicly available and I'm suspecting because I didn't sign up to the community and register our appliances/support contract, I'm not allowed to view knowledge base articles...
Retrieving data ...