Version 2.8, 14.06.2018

The security gaps Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715) have been publicly announced on the 3. January 2018. According to reports, the concerned processors of Intel, AMD and ARM can have the following consequences as described by Project Zero:

• Variant 1: Bounds Check Bypass (CVE-2017-5753), (Spectre)
• Variant 2: Branch Target Injektion (CVE-2017-5715), (Spectre)
• Variant 3: Rogue Data Cache Load (CVE-2017-5754), (Meltdown)

These security gaps allow programs that are running with normal restricted privileges to obtain access to protected areas on the processor (Kernel Memory).

Affected processors

Status 11. Januar 2018

Affected products

These products are affected by Variant 1:

• Linux Virtual Server Pro
• Windows Virtual Server Pro
• Virtual Server 2.0 Linux
• Virtual Server 2.0 Windows
• Linux Dedicated Server Pro
• Windows Dedicated Server Pro
• NAS-Cloud
• Cloud Services

Products being clarified

These products are still being clarified and will be added to the list above if necessary

• No further products

Updates / Upgrades

Hardware, BIOS and Firmware
Microcode updates which would require an update of the BIOS might be necessary to seal these security gaps. We are cooperating with the manufactures accordingly.
The corresponding updates on the host systems will be carried out as soon aspossible. We will inform affected customers about any interruptions through our newsletter. If possible, these updates will be carried out without any impact on the customer.

Operating System and Software
You can find information regarding the update-status of the Operating Systems on the corresponding websites. The most important links are listed here:

• Debian (CVE-2017-5753 / CVE-2017-5715 / CVE-2017-5754)
• Ubuntu
• CentOS
• Fedora
• OpenSUSE
• Windows
• Synology DSM

Web Browser

The vulnerability Meltdown and Specter can also be exploited via the web browser. We therefore recommend to always keep the browser up to date.

• Mozilla Firefox
• Opera
• Windows IE & Edge
• Google Chrome

The host systems will be maintained with the corresponding updates by us as soon as possible. We will do our best that any interruptions caused by reboots of the host system will be carried out without causing interruptions of our customers. If that is not possible we will inform the affected customers through our newsletter. Because your system is still vulnerable to attacks you must keep your system up to date.

Current state of the products

The CPUs used by Softronics are according to the manufacturer's information from 11.01.2018 are not affected by Meltdown. We will test the available security solutions on the host servers and our infrastructure as fast as possible. When the tests have been successfully completed we will swiftly preform the rollout. We usually try to do this without causing interference for our customers. We will inform affected customers about any interruptions through our newsletter.

1Patching and keeping the OS up to date is the responsibility of the customer

Responsibility customer

We recommend you install the updates as soon as stable versions are available since the Operating systems installed on our Virtual- and Dedicated servers are vulnerable as well. As of today (19.01.2018) there are not micro updates or patches available for the NAS-Cloud.
We also encourage you to keep your applications up to date as well.
We are happy to assist you with the necessary tasks. To do so, please contact our support.

1Customer can perform BIOS updates
2Customer can perform OS-updates
3Customer can update software and applications

Additional information

• Mitentdecker warnt vor erstem Schadcode (heise.de, 11.01.2018)
• Google patcht eigene Server ohne Leistungsverlust (GameStar.de, 15.01.2018)
• Return trampolin, Retpoline (Google.com)
• Intel warns of its own patches (CHIP.de, 23.01.2018)
• Managing Speculation on AMD Processors Whitepaper (amd.com, 24.01.2018)
• Intel microcode revision guidance (intel.com, 08.02.2018)
• Intel firmware updates for Kaby-, Coffe-Lake and Skylake (intel.com, 20.02.2018)
• Microsoft March Security Updates against Meltdown & Spectre (Microsoft, 13.03.2018)
• Microsoft April Updates against Spectre Variant 2 for AMD (Microsoft 16.04.2018)
• Microsoft June Updates support for Speculative Store Bypass Disable (Microsoft, 12.06.2018)

Revision history

• Version 2.8, 14.06.2018. Microsoft June Update
• Version 2.7, 16.04.2018. Microsoft April Update
• Version 2.6, 11.04.2018, AMD Spectre Mitigation Update
• Version 2.5, 14.03.2018, Mircosoft March Security Updates
• Version 2.4, 21.02.2018, Microcodesfor Intel Skylake and Server processors
• Version 2.3, 12.02.2018, Overview microcode updates planned by Intel
• Version 2.2, 25.01.2018, Managing Speculation on AMD Processors Whitepaper added
• Version 2.1, 23.01.2018; information about current Intel patches added
• Version 2.0, 19.01.2018; added status of products
• Version 1.5, 18.01.2018; added Link Retpoline
• Version 1.4, 17.01.2018: Cloud Services added to affected products
• Version 1.3, 16.01.2018: Information added about NAS-Cloud and Debian
• version 1.2, 15.01.2018; Information about Web Browser
• Version 1.1, 15.01.2018; NAS-Cloud added to affected products
• Version 1.0, 10.01.2018: Initial Version