Status of Meltdown and Spectre vulnerabilities
It is undeniable that Open Source isn't just delivering the building blocks of our digital world but, thanks to the growing number of involved professionals, is helping in making our infrastructures more secure.
Thanks to the efforts of developers and researchers several software and hardware vulnerabilities are being constantly discovered and fixed.
One of the latest discoveries made by independent researchers, probably tipped by a presentation made by Anders Fogh at the BlackHat Conference in 2016, is that serious security flaws have been baked into computer chips for decades. It may be surprising that serious flaws may remain undiscovered for such a long time but most processors manufacturers aren't very open regarding the design of their products so it may take a lot of time and patience to tests and confirm those vulnerabilities by, nearly, blindly testing any formulated hypothesis.
Much has been and can be said about it but most of you may wonder "Should I start panicking?"
Should you do something about it?
Those that, unfortunately, haven't yet discovered that private Cloud can be a lot more cost effective than public Cloud should have received notifications by their providers that patches are being applied to the virtualisation environment and that client should get patching their own virtual machines as well.
Until your Cloud provider applies patches to the hypervisor and related CPU microcode then there isn't much you can do about it so just relax but hope there are no people sharing the host with you that want to test if the exploits work. Keep in mind that some early patches applied by your Cloud providers may affect the stability of your VMs. We noticed that some vendors issued some updates but quickly withdrawn them when they realised they where causing problems.
Once you get confirmation from your provider that the patches have been tested and applied then proceed to install the updates available for the vendors we represent.
Note: patches that mitigate some of the issues will affect performances, some say between 5 to 30%, so be prepared to see your monthly Cloud bill to go up.
Are Omnis Systems partners and customers affected?
Many of our partners demonstrated to their customers that, using the right solutions, an on-premises virtualisation platform or Private Cloud is a lot more efficient than a Public Cloud so there is generally no need to rush to apply patches for the solutions we distribute.
However, there are situation where the solutions we distribute may have been virtualised on a Public Cloud so apply the updates below as soon as you get confirmation that the hypervisors have been patched with a stable and tested release.
Updates from our partners
- Collax V-Cube - Release v. 6.8.16
- Collax Business Server - Release v. 7.0.18
- Collax Security Gateway - Release v. 7.0.18
- Collax Groupware Suite - Release v. 7.0.18
NComputing VERDE is deployed on stock CentOS so make sure you are running version 6.9 or 7 and follow the usual update steps.
Regarding the other solutions we supply please follow the instructions related to the Linux distribution you are using.
More resources about Meltdown and Spectre
Many articles and blog posts have been written about these vulnerability but most of what you need to know about them and if you look for links to many of the vendors involved then head to the Meltdown and Spectre attack site.