2018-01-10 Instructure Advisory IAC92206 - Response to Meltdown and Spectre Vulnerabilities

mhillary
Community Novice
0
1590

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2018-01-10
  Description:

Response to Meltdown and Spectre Vulnerabilities

  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. (Source: Meltdown and Spectre)

  Systems Affected:Desktop, Laptop, and Cloud computers may be affected by Meltdown. Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. (Source: Meltdown and Spectre)
  Solution Status:Patched (Meltdown; AWS Systems)
  Discovered By:

Several security researchers. See "Who reported Meltdown" and "Who reported Spectre?" here: Meltdown and Spectre

  Relevant Changesets:N/A

Summary:

Last week, security researchers released findings about a couple of impactful security vulnerabilities known as Meltdown and Spectre (see https://spectreattack.com/). Openness and transparency are important to us: we want you to know how we have responded to these vulnerabilities.

Instructure systems are hosted on Amazon Web Services (AWS). One of the biggest concerns about these vulnerabilities is their impact on shared-compute infrastructure. Researchers reported these vulnerabilities to AWS and other infrastructure providers several weeks before disclosing them publicly. AWS aggressively identified and patched all exposed systems, including all infrastructure supporting Instructure’s instances. AWS describes their efforts here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

We believe the near and present attack vectors associated with these vulnerabilities have been removed as a result of AWS’ patching. Due to the nature of these vulnerabilities impacting CPUs (even on virtualized systems), Instructure is applying the associated patches (as they become available) to Instructure’s instances hosted on AWS while meeting our availability SLAs and maintenance-notification commitments.

We encourage customers to update their systems and browsers as patches become available.

Status:

All AWS systems were patched as of 20:10 MT on 01/09/2018