You may be aware of the “Meltdown” and “Spectre” vulnerabilities that were disclosed in the media during the past 24 hours. These are vulnerabilities in CPUs (notably, but not only, Intel CPUs made since 1995) which can allow programs to access memory, and therefore sensitive restricted information, that they should not have access to.
The immediate problem can be worked around with operating system patches. This vulnerability was originally scheduled to be disclosed next Tuesday by the vendors; because of the early disclosure, some patches are still being readied for release.
The vulnerability itself appears to require local code execution to exploit. In some situations, this may be very easy; in other scenarios, where a device is well isolated from user input, it can be much more difficult. We are working to identify affected systems in HEAnet and apply fixes once they are available. This is likely to require emergency maintenance on certain services as we perform the reboots necessary to patch their kernels (in line with industry practice.) We will be in touch as these are scheduled.
We also suggest that you install security updates on your own systems as they become available (but we also note that the mitigation may incur a performance penalty.) Please note that, for virtual machines, both the host and its guest VMs are likely to need to be patched.
The details of the vulnerabilities are available:
- Google Project Zero: https://googleprojectzero.blogspot.ie/2018/01/reading-privileged-memory-with-side.html
- CERT: http://www.kb.cert.org/vuls/id/584653
We will keep you informed as we receive further information but if you have any questions please don’t hesitate to contact firstname.lastname@example.org