Knowledgebase: Security
Leostream statement on the Meltdown and Spectre vulnerabilities
Posted by Karen Gondoly, Last modified by Karen Gondoly on 01 November 2018 09:18 AM

Spectre and Meltdown are local-machine-only vulnerabilities. Any malicious process must be running on the same machine as the Connection Broker in order for the Connection Broker to be vulnerable. If you are running a Connection Broker on a stand-alone machine and are already taking precautions against unauthorized access, then your Connection Broker is not at risk from these vulnerabilities. The same applies to the database host, if the Connection Broker is using an external database.

If your Connection Broker is running on a virtual machine, a malicious process running on another virtual machine on the same host could potentially access memory from your Connection Broker. If all of your virtual machines are under your control and protected from unauthorized access, you are at lower risk.

VMware reported that VMware ESXi, VMware Workstation, VMware Fusion, and VMware vCenter Server Appliance are at risk. If you are running a Connection Broker on any of those hypervisors, Leostream recommends applying VMware's latest patches, as soon as possible. Please, see the following VMware statements for more information:

https://www.vmware.com/security/advisories/VMSA-2018-0004.html
https://www.vmware.com/security/advisories/VMSA-2018-0002.html
https://kb.vmware.com/s/article/52245
https://kb.vmware.com/s/article/52264

Leostream does not offer patches to the underlying CentOS operating system included in the Connection Broker virtual appliance. However, Leostream routinely tests the Connection Broker on the latest RHEL and CentOS versions. If you installed your Connection Broker using the Leostream RPM, you may manually apply the latest patches to the underlying CentOS or Red Hat Enterprise Linux (RHEL) operating system. Applying updates to your virtualization host or guest operating system will not negatively effect your Connection Broker performance.

The currently support operating system versions for Leostream are RHEL/CentOS 6.9 for the Leostream Connection Broker 8.2.52.0, and RHEL/CentOS 7.4 for the new Leostream Connection Broker 9.0.

For more information on updates to the underlying operating system, see the following statements:
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://access.redhat.com/errata/RHSA-2018:0008

(2 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).