Riva CRM Integration - Documentation and Knowledge Base

Responding to Spectre and Meltdown

Article ID: 1737
Last updated: 22 Jan, 2018

Concerning: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Update As Of: 2018-01-18 12:00 PM PST

All critical severity issues related to the above mentioned CVEs have been addressed.

Summary

Riva Cloud leverages Amazon AWS. The Amazon response to the above concerned CVEs can be found here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Amazon attests that all "instance-to-instance" and "instance-to-host" related concerns have been mitigated, regardless of operating systems.

All instances across the Amazon EC2 fleet are protected from all known instance-to-instance concerns of CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. Instance-to-instance concerns assume an untrusted neighbor instance could read the memory of another instance or the AWS hypervisor. This issue has been addressed for AWS hypervisors, and no instance can read the memory of another instance, nor can any instance read AWS hypervisor memory. As previously stated, we have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.

All EC2 instances used on Riva Cloud are based on HVM Instance Types – the Riva Cloud environment is not affected by the “PV Instance Guidance” comments in the AWS security bulletins.

The remaining remediation activities relate to updating each instance operating system to prevent any "process-to-process".

Ongoing Activities

All operating systems are being upgraded based on each vendor's recommendations.

The following operating systems are currently being upgraded:

  1. Microsoft Windows 2008, 2012, 2016 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002).
  2. Amazon Linux (https://alas.aws.amazon.com/ALAS-2018-939.html).
  3. Redhat Linux (https://access.redhat.com/security/vulnerabilities/speculativeexecution).

Ongoing Verification

Riva Cloud uses Qualys as part of a comprehensive security program. Qualys provides near real-time assessments of the Riva Cloud infrastructure and any outstanding CVE.

Article ID: 1737
Last updated: 22 Jan, 2018
Revision: 9
Views: 3101