You’ve likely been reading about the research recently disclosed regarding 2 serious security risks known as Meltdown and Spectre. Here's some information you need to know to help you understand what your potential vulnerabilities might be.
What are Meltdown and Spectre?
In a nutshell, this has affected a majority of computers, servers, and smartphones built in the past 20 years. While operating system, hardware and cloud vendors had agreed on a planned release of this information and patches on Jan 9th, this process broke and notification was disclosed prematurely, causing a rush to disclose patches and fixes. For information on the specific vulnerabilities please read more in these links: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
Our security partners at Alert Logic have put together an overview on Spectre and Meltdown and what the potential consequences of an exploit might be.
What does this mean for AWS instances?
Security is considered job zero at AWS; they put out their statement on January 5th, 2018. Please take some time to read it as it has detailed information to help you better understand how this might affect your workloads.
You may recently have seen a spate of EC2 instance restart notifications, this was part of AWS' effort to deploy fixes to their infrastructure prior to the planned public disclosure.
All operating systems running on top of EC2 require patching as a matter of urgency to mitigate potential exploit of your systems.
Patches have been released by operating system vendors - the planning activity may identify special considerations requiring additional action beyond the patching, these will be discussed with you when identified.
In addition to EC2 running standard operating systems, some of our customers also use third party AMIs/appliances from the AWS MarketPlace. Some of these systems may require updating though it's possible such updates have not yet been released - our staff will include these systems in review.
Many of our customers also have on-premise systems and we urge you to address these vulnerabilities on-premise as many of these environments interconnect with AWS over VPN.
The Final Word
Lastly, note that this is a hardware vulnerability and therefore the patches released to mitigate this may result in a performance impact to systems. We have not seen any evidence of this but in some cases the impact may require system resizing or scaling changes to be made.
If you are one of our Managed Services clients, our team has already been in touch with your teams regarding patching plans. We feel strongly at TriNimbus that the Cloud remains the best defense to keep your systems secure.
If you have questions, concerns or would like to talk about the potential threat to your systems, please contact us directly.