As a part of its security operations, GoodData regularly monitors vulnerability and patch announcements to the extent they are relevant to the GoodData Platform as well as to internal company systems and devices.
GoodData Security Operations has learned about Intel CPU vulnerabilities that allow speculative execution to perform bounds-check bypass (“Spectre”) and/or leverages out-of-order execution capabilities (“Meltdown”), tracked in the National Vulnerability Database under CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715.
All of these vulnerabilities have been evaluated based on a CVSSv3 severity classification 5.6 (out of 10) translating to a medium risk. These vulnerabilities need local access and have a high attack complexity. Despite the high media attention, these types of vulnerabilities are relatively common from the security standpoint (usually such vulnerability is limited to specific version of an OS kernel). The key differences being the vast scale of affected users, ability to bypass even the virtualization layer, and the expected performance impact of the fix.
In line with the Patch Management Policy, The GoodData Security Operation team has evaluated the impact of these vulnerabilities on the GoodData Platform components, as well as on the internal systems. The GoodData Security Operation team has also prepared a roll-out plan to ensure that these vulnerabilities are mitigated according to the internal SLAs. Thanks to the multi-layered platform architecture, only a limited number of components are exposed outside of the GoodData Platform. Even on these externally exposed components, possible threat agents are limited to GoodData employees and Customer administrators, and additional safeguards are in place to further reduce the risk. Still, for these components the vulnerabilities are treated as critical, and the patches will be rolled out accordingly during the nearest available maintenance window after they are prepared and tested.
A cross-team task force has been established in order to prevent major performance degradation of the GoodData Platform. This is to ensure that performance impact of the patches is assessed and additional steps including workspace rebalancing or deployment of additional hardware are taken in parallel to the deployment of the patches.
The OS-level patches were made available by RedHat, and as of January 16, 2018, it is still unclear whether or not they will be sufficient to fully mitigate the vulnerabilities, or if additional actions will need to be taken such as an upgrade of the CPU firmware.
GoodData Security Operations will continue monitoring the development around these vulnerabilities to assure that the impact of these vulnerabilities are adequately mitigated.
Should you have any further questions around these vulnerabilities or general GoodData Patch Management practices, please do not hesitate to reach out to your Account Manager.