Researchers recently discovered two new security vulnerabilities, known as Meltdown and Spectre, that affect most modern computing devices and systems. In this statement, Exosite shares the information we have about these vulnerabilities, the steps we’ve taken to protect our customers from them, as well as additional information and recommended actions for our customers to take to protect themselves.
Background
A design characteristic in modern processors introduced two vulnerabilities, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), affecting CPUs from Intel, AMD, and ARM.
Meltdown primarily affects Intel CPUs and circumvents normal security boundaries, allowing malicious applications to harvest credentials or other sensitive information from a system's memory. Experts suggest that Meltdown has the highest probability of exploitation and could even be accomplished through simple means, such as JavaScript within a browser.
Spectre not only affects Intel processors, but also AMD and ARM processors. It can allow hackers to harvest sensitive information from applications. Experts indicate that this flaw is harder for hackers to exploit, but may also be more difficult for companies to fix.
Although there have been no reports of attackers exploiting either vulnerability, demo code has been released to demonstrate the methods that may be used to exploit Meltdown. In response, many companies will provide software and firmware updates to help mitigate vulnerabilities.
Exosite’s Response
In alignment with our Terms of Service, Exosite is working to ensure the protection of our customers’ confidential information, including any confidential information housed on our Murano platform.
Exosite’s Murano platform runs on Amazon Web Services (AWS), an ISO 27001 and ISO 27017 certified cloud services provider, and our core services leverage the Amazon EC2 service. AWS has indicated that their EC2 fleet is protected from all known threat vectors associated with both Meltdown and Spectre. See their security bulletin for additional information.
In addition to the patches Amazon has applied, Exosite’s security team is working to test and apply Meltdown patches from trusted operating-system vendors as they become available.
Recommended Customer Response
Because of the widespread nature of these vulnerabilities, Exosite recommends that our customers take appropriate action to protect their systems, including carefully monitoring the availability of updates provided by trusted device manufacturers and trusted operating-system vendors and applying these updates as applicable. This may include:
- Applying available Windows updates (KB4056892). See the Microsoft Update Catalog for additional information.
- Applying available browser updates.
- Applying vendor-provided BIOS hardware updates.
Summary
Exosite’s security team has been watching this issue since it surfaced and we have been monitoring the status of AWS’s response to ensure the confidentiality, integrity and availability of our Murano platform. As the situation progresses, we will make additional information available via our support site; customers may also contact Exosite Support directly with questions or concerns.