Pivotal Warns Of Spectre, Meltdown Performance Impact, Says All Versions Of Software 'Potentially Affected'
Pivotal Software released a high-severity advisory warning regarding the Spectre and Meltdown security issues, reporting that all versions of Pivotal software products could be "potentially affected" and saying it is waiting for Spectre patches to be released from other vendors before it can solve the matter.
The software and services company said users of affected versions of Pivotal software should apply mitigations that are expected to be necessary at several levels, including infrastructure and the operating system.
"Fixes for these issues are being developed by the OS vendors such as Microsoft and Canonical. For Meltdown, Pivotal issued a stemcell, a versioned Operating System image wrapped with IaaS specific packaging, a few hours after Canonical released their patch," said Pivotal in an email to CRN. "For Spectre, OS vendors anticipate releasing a patch on Jan. 22, followed by a Pivotal stemcell."
A stemcell is a customized operating system image that separates the OS and other software packages bundled in a deployment. Stemcells are used to remediate configuration issues as well as vulnerabilities in the data center or cloud.
Pivotal said that to date there are "no known attacks using Meltdown or Spectre to target Pivotal products."
The company said, however, that a malicious program potentially could exploit Spectre and Meltdown to access information stored in the memory of other running programs. Pivotal is pointing users to the Meltdown and Spectre website, where information for patches is available and said it has been directing customers and channel partners to follow instructions to upgrade to corresponding updated stemcell versions.
One top executive from a solution provider who partners with Pivotal said the company was working to make sure customer environments would not be negatively impacted by the upgrades.
"We're asking them to keep us posted if they see any changes after the remediation," said the executive, who did not wish to be identified. "There haven't been any major [complaints] yet, but we'll continue to look for any discrepancies over time."
On Jan. 18 the Pivotal Cloud Foundry Foundation Security Team issued a critical severity advisory warning, saying that "all versions of Cloud Foundry are potentially affected" by Meltdown and Spectre. Pivotal said it intends to provide new versions of stemcells as soon as updates are released.
A recent Pivotal report released online said that "based on Pivotal engineering’s initial findings from the performance testing on various infrastructures, there will be a performance impact.’
"Pivotal engineering is currently carrying out extensive performance measurements broken down by various components in Pivotal Cloud Foundry," said Pivotal technical support engineer Nikhil Suvarna in the online report. "While there are currently no known attacks using Meltdown or Spectre to target Pivotal Cloud Foundry it is theoretically possible for an attacker to use Meltdown and Spectre, possibly in conjunction with other attack vectors, to gain access to unauthorized information from applications running on PCF [Pivotal Cloud Foundry], gain elevated privileges and possibly elevated access to the platform itself."
Dell, for its part, recently told CRN that it is conducting performance tests across its entire product portfolio to assess the impact of the software patches used to combat Spectre and Meltdown. At the same time, Dell said it has started rolling out BIOS (Basic Input Output System) updates and will continue that over the next few weeks for potentially affected platforms across its client and infrastructure groups.