Print

Print


Dear LIR mailing list subscribers,

You may be aware of the "Meltdown" and "Spectre" vulnerabilities that 
were disclosed in the media during the past 24 hours. These are 
vulnerabilities in CPUs (notably, but not only, Intel CPUs made since 
1995) which can allow programs to access memory, and therefore sensitive 
restricted information, that they should not have access to.

The immediate problem can be worked around with operating system 
patches. This vulnerability was originally scheduled to be disclosed 
next Tuesday by the vendors; because of the early disclosure, some 
patches are still being readied for release.

The vulnerability itself appears to require local code execution to 
exploit. In some situations, this may be very easy; in other scenarios, 
where a device is well isolated from user input, it can be much more 
difficult. We are working to identify affected systems in HEAnet and 
apply fixes once they are available. This is likely to require emergency 
maintenance on certain services as we perform the reboots necessary to 
patch their kernels (in line with industry practice.) We will be in 
touch as these are scheduled.

We also suggest that you install security updates on your own systems as 
they become available (but we also note that the mitigation may incur a 
performance penalty.) Please note that, for virtual machines, both the 
host and its guest VMs are likely to need to be patched.

The details of the vulnerabilities are at Google Project Zero: 
<https://googleprojectzero.blogspot.ie/2018/01/reading->https://googleprojectzero.blogspot.ie/2018/01/reading-privileged-memory-with-side.html 
<https://googleprojectzero.blogspot.ie/2018/01/reading-privileged-memory-with-side.html>

<https://googleprojectzero.blogspot.ie/2018/01/reading-><https://googleprojectzero.blogspot.ie/2018/01/reading->And 
at CERT: http://www.kb.cert.org/vuls/id/584653

We will be in touch with further information as it arises, and if you 
have any questionsplease don't hesitate to contact [log in to unmask] 
<mailto:[log in to unmask]>.

Regards,
Brian.

--
Brian Boyle, Head of Infrastructure
HEAnet CLG, Ireland’s National Education and Research Network 1st Floor, 
5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040, [log in to unmask] <mailto:[log in to unmask]>, 
www.heanet.ie <http://www.heanet.ie>
Registered in Ireland, No. 275301.CRA No. 20036270