Security Advisory- Meltdown and Spectre Vulnerabilities – Updated January 7, 2018

Overview

Ex Libris is aware of the recently reported security vulnerabilities known as 'Meltdown' and 'Spectre' that affect computer processors (CPUs).  These are vulnerabilities at the architecture level and affect any computer or device, whether running Windows, OS X, Android, iOS or other operating systems.   These vulnerabilities can allow a rogue process to access other processes and memory running on the same device. Ex Libris will continue to monitor the issue and provide updates as appropriate.

Meltdown affects Intel processors.

Spectre affects Intel, AMD, and ARM processors.

Effective Security Severity Level:

High 

Affected Systems:

All servers.

Actions Taken for Cloud/Hosted Systems:

• Our Security team is monitoring the information that is released around the affected hardware, and we have evaluated Ex Libirs’ cloud exposure.
• Our security team applied security reinforcement and protection measures according to our security best practices, in order to help mitigate these vulnerabilities. We have updated our security infrastructure, such as firewalls and intrusion detection and protection tools, with the most updated signatures (CVE 2017-5715, CVE 2017-5753, CVE 2017-5754) that allow us to identify and block these vulnerabilities.
• Since there are industry reports indicating a potential performance impact associated with some of the hotfixes and patches, our Cloud Operations team is testing and certifying the applicable hotfixes and patches before they are deployed to our cloud infrastructure. We are making this testing and deployment activity a major priority. 
• Ex Libris customers are protected through the combination of the above-mentioned updated security signatures as well as the overall security mechanisms already in use in our cloud infrastructure, including network segregation and intrusion detection and prevention, as well as proactive security monitoring.
• Ex Libris will continue to monitor the issue and provide updates as appropriate.

Required Actions for On-Premises and Local Systems:

Ex Libris recommends following your vendor’s instructions.  Refer to your OS vendors for the most recent information.  The table provided below lists available patches, but check with your vendors for any updates. Because the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.
After patching, performance maybe reduced by up to 30 percent. Administrators should monitor applications and services, and work with their vendor(s) to mitigate the effect if possible.

Further Information: