Things you need to know about the recent CPU vulnerability issue

January 19, 2018

Recently, an industrywide vulnerability was identified by Google that involves modern microprocessor architectures. Based on new security research, there are software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed.

Often referred to as the Side-Channel Analysis Method, or Spectre and Meltdown, this vulnerability impacts microprocessor architectures from multiple CPU vendors, including HPE, Intel, AMD, and ARM. To address this vulnerability, hardware and software vendors from across the industry, have been working together to publish the appropriate resolutions. Depending on which vendor you have, we’d recommends customers review statements and associated sites published by the microprocessor vendors.

These can be seen here:

HPE: https://news.hpe.com/hpe-provides-customer-guidance-in-response-to-industrywide-microprocessor-vulnerability/
Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
AMD: http://www.amd.com/en/corporate/speculative-execution
ARM: https://developer.arm.com/support/security-update
AZURE: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

An important aspect of the Side-Channel Analysis Method is that it requires malware to run locally on a system. This particular vulnerability doesn’t directly enable alteration, deletion, destruction, or encryption of data—but data may potentially be extracted from the computer systems. Therefore, it is important to practice good security hygiene, including always keeping your software and firmware current.

Frequently asked questions

1. Does the microprocessor vulnerability affect all technology vendors?

Yes. The microprocessor vulnerability affects all technology vendors using modern microprocessors. All products and solutions impacted by this vulnerability require the appropriate operating system and ROM updates.

2. Is the microprocessor vulnerability due to an active attack or breach?

No. There have been no known attacks. This microprocessor vulnerability is due to a design flaw, which when analysed via the side-channel methodology, can enable someone to deduce data. Applying the appropriate operating system and microprocessor updates for your HPE systems, mitigates the risk associated with this vulnerability.

3. What is the magnitude of the security vulnerability?

New security research identified software analysis methods that, when used maliciously, have the potential to improperly gather sensitive data from computing devices that are operating as designed. For more and the latest information, click on the above links.

4. What is the resolution?

Resolution of this vulnerability requires both an operating system update, provided by the OS vendor, and a System ROM update. Depending on which systems you are running, you can find instructions on appropriate actions to take on the vendor Vulnerability Websites.

5. Which operating systems are impacted?

Windows, Linux, and VMWare are impacted. Operating system vendors are providing OS patching updates and the majority of customers should not see a noticeable performance impact with this update.

6. Which microprocessors are impacted?

Most microprocessors with modern architectures can be impacted by the Side-Channel Analysis Method.

7. Are all hardware manufacturers impacted?

All hardware manufacturers as well as public cloud service providers that use affected modern microprocessor architectures are potentially impacted. Mobile phones and client computers may also be impacted—refer to providers of those products for more details.

8. After I patch my systems, will there be an associated impact to performance?

In most cases, we expect performance impact will typically be minimal but will vary with OS and workload.