Spectre and Meltdown Vulnerabilities For GroundWork Users
January 16, 2018
Reports have recently surfaced about Spectre and Meltdown vulnerabilities in most modern computer systems. These so-called side-channel attacks can allow one program (e.g. a browser) to infer and even read data used by the CPU to execute another program… even a more privileged one. These vulnerabilities affect phones, tablets, desktops, servers, and cloud computing services. Solutions offered to date require patching that results in reduced performance. Chip manufacturers and software vendors are in the early stages of offering solutions. What is advised today may be replaced with better advice tomorrow.
At GroundWork Open Source, we continually review our product whenever such vulnerabilities come to light. At this time, there appear to be two potential attack vectors for a GroundWork server. The first is if your GroundWork server includes web site monitoring using our headless browser plugin (uses casperjs/phantomjs): there is a possibility that the vulnerability could be exploited. The second is if your GroundWork server has the browser enabled at the console level (ie. Gnome, Konsole): the vulnerability could be exploited if you are using a web browser within a console session.
For these particular use cases, our current recommendation is to patch the operating system as soon as possible. If you are running this server in a virtualized environment, the hypervisor and control layer (VMware, Amazon, Azure, etc.) may need patching as well. Microsoft, VMware, Amazon, RedHat, SuSe and Ubuntu (Canonical) have all issued and continue to issue updates. Performing patching as they suggest is prudent action.
If the above use cases do not apply to your GroundWork systems, please follow the current advice of your OS provider, Virtualized layer provider, and/or Cloud provider.
Based on the current patches available, it is important to note that vendors are acknowledging increased load on many systems. After patching, your GroundWork monitored infrastructure may generate an increase in alarms and alerts when long established thresholds for “normal” loading are potentially exceeded due to the performance losses caused by these patches and workarounds.
GroundWork Monitor itself does not require a patch for this issue. If your GroundWork installation is not the most recent version (7.2.0), we urge you to schedule an upgrade. Improvements to our software provide marked increases in speed and efficiency which will help offset any potential decrease in performance associated with patching for Meltdown and Spectre.