After listening to feedback from our users — we've decided to move in a different direction from the previously proposed patching plan.
We will not be moving forward with any patching this weekend. Your applications, as well as the Platform, will continue to function as normal. There will be no unexpected downtime.
The new plan is as follows:
- Next Tuesday (01/23/18), we will be releasing an update to the Platform that will drastically reduce the potential for downtime for all customers.
- Once that update is released we will proceed with patching new hosts.
- After the patching is complete, we will request users to redeploy their services. This will ensure that your services land on newly patched hosts.
- We will be reaching out to users individually with specific dates to redeploy your services.
We have received the update package from the Ubuntu developers. Our engineering, security and operations teams are in the process of testing the patch on isolated sandbox environments.
We will be creating a plan from this testing phase. The goal of this plan will be to minimize downtime per customer environment. We will continue to keep you updated throughout the week.
What is it?
A new class of side channel attacks, affecting nearly all processors (Intel, AMD, ARM) and web browsers (chrome, firefox, IE/Edge) was disclosed yesterday (01/04/2018). Security fixes have been addressed for AWS hypervisors and, according to Ubuntu's statement, security updates will be available by 01/09/18.
As with any software vulnerability, Datica is dedicated to ensuring your applications and PHI are appropriately protected. This update addresses how we already protect your environments as well as how we plan to address this newly disclosed issue.
The full impact of these vulnerabilities is still being revealed, but we do know that an attacker with the ability to run code on a computer can potentially gain access to memory space outside the bounds of it’s normal authorization. In both cases, a user would have to have some local access to a system to run malicious code —it is not possible to execute an attack remotely. Also, these exploits are both only able to read memory and not able to execute further malicious code.
For each of these cases:
- Meltdown: an attacker would have to have the ability to run malicious software in order to gain access to the kernel and/or a VM’s host memory.
How does Datica protect you today?
Datica provides an access control layer that allows you to define who has the ability to push code to your environments, as well as who has access to update or change service files used to manage the configuration of your code environments. This allows you to determine who in your organization has the ability to include code that is being executed — an important step in preventing an attack via Meltdown.
Of chief concern to our customers, though, would be an attacker attempting to gain access to read PHI data.
Services that have direct access to PHI — such as database services — do not provide direct login to additional users, which would make it difficult for another user to run malicious code.
What is Datica doing to protect your environments?
Datica already uses a vulnerability management program and continues to work closely with necessary vendors to address and patch those vulnerabilities. We can confirm that AWS has completely patched all VM hosts; thus removing concerns of cross-VM attacks. Ubuntu base operating systems still require a patch that has yet to be released — they are currently targeting January 9, 2018. Our plans for testing and deployment will be announced on a rolling basis.
Please note: During maintenance, Datica engineers will need to stop and start all instances. We will be sending official downtime notifications closer to the date in accordance with our policies.
What can you do to protect yourself?
Patches are available for many consumer and business operating systems as well as most web browsers. Please look at the updated list below to make sure you are running most recent security patches and browser versions known to be resistant to Spectre & Meltdown attacks:
- Operating System Updates:
- Microsoft has provided Meltdown & Spectre security updates for both Windows Client & Windows Server (Note - You must make sure, via aforementioned links, that you have AV installed on your Windows host(s) and it is up-to-date and on this AV compatibility list (Credit to Kevin Beaumont for maintaining this public list).
- Apple has released mitigations for Meltdown & Spectre in iOS 11.2.2, macOS 10.13.2, and tvOS 11.2.1 (Updated 01/08/18).
- Web Browser Updates & Upcoming Patch Dates:
- Mozilla Firefox – Fixed with auto-update and/or manual update in v57+
- Google Chrome – Patch release 1/23/18. Current solution is turn on Site Isolation.
- Safari security patches have been released (Updated 01/08/18).
- IE/Edge security update KB4056890 is available with multiple “known issues”.
- Mobile Security Updates:
Additional Security Advisories not mentioned here are available at https://meltdownattack.com/