Update: Thursday, Jan. 18 3:00 pm CT
The TierPoint team dedicated to Spectre and Meltdown remediation continues to work diligently with our industry partners to evaluate the impact and effectiveness of different patches, actively testing those patches in both lab and internal environments.
As reported, the patches made available to the industry, so far, have consistently demonstrated the potential to create serious performance issues. That’s a widely shared assessment, not limited to one vendor nor one set of patches.
Despite these challenges, some of the most recently released patches are promising, and they will be installed as soon as they’re validated. At that point, as noted in our update last week, one of two things will happen: either (1) affected clients will be notified by email alert, through the same, standard method used for other maintenance events – or (2) the validated patches will be applied on a previously established and communicated weekly schedule.
Notably, based on currently available information from our partners, this will be an iterative, recurring, multi-month process, one in which different patches from different vendors will be released, tested – perhaps updated and re-tested – before they’re validated and deployed. And because this ongoing work is proprietary to our clients, this will be the last update to this public blog post.
In the meantime, while we work through this extended process with our industry partners, we will also continue to closely monitor environments under our management for any issues or concerns and communicate those, as needed, directly to our clients.
Update: Thursday, Jan. 11 10:30 am CT
As noted in our Jan. 9 update, below, TierPoint is testing patches that have been made available to us by key vendors, such as VMware and Microsoft.
After available patches are validated in lab testing, one of two things will happen: Either affected clients will be notified by email alert, through the same method used for other maintenance events – or, as in the case of Microsoft, validated patches will be applied on a previously established and communicated weekly schedule.
NOTE: Depending on the variables involved – including (1) a client’s installed services, e.g., multitenant vs. private cloud; (2) the vendors powering those services; (3) when those vendors release patches; and (4) when those patches are validated in lab testing – affected clients could receive multiple email alerts, ranging from a handful to a dozen or more, regarding different patches being applied to different deployments at different points in time. This is normal course, given the nature of the vulnerabilities in question. (Reference the “What is being done?” Q&A, below, from our Jan. 5 update.)
Please see below for earlier information and continue to monitor this blog for additional updates as they become available.
Update: Tuesday, Jan. 9 10:00 am CT
TierPoint has a dedicated team of engineers and service delivery professionals who are working with vendors and partners to remediate Spectre and Meltdown vulnerabilities.
We’ve received recommendations and timelines for patches from all key vendors. The TierPoint team is testing available patches and will then begin priority maintenance operations, notifying affected customers as remediation timelines are finalized for cloud and managed OS.
Please continue to monitor this blog for additional updates as they become available.
Update: Friday, Jan. 5 3:30 pm CT
TierPoint engineers are continuing to work with our technology partners and vendors to assess the potential impact of the Meltdown and Spectre vulnerabilities and to develop action plans to mitigate the vulnerabilities for customers.
To help explain the issue and what is being done, here are some frequently asked questions and answers.
What is being done to fix Meltdown and Spectre?
This is a global issue that cannot be resolved by a single, massive patch. Nor can it be fixed in a day because the impact is still being scoped. A flood of patches are already being issued by vendors across the globe as they become available. However, the patches themselves may impact computer response time in some cases. These matters are being evaluated by TierPoint in conjunction with our expert partners and vendors. (See update from Thursday, Jan. 11, above.)
What is it?
Meltdown and Spectre are hardware bugs that can potentially exploit critical vulnerabilities in certain processors, including Intel and possibly AMD and ARM. This flaw could affect processors manufactured up to 20 years ago.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus the protected data of other programs and the operating system.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their protected data.
How does it affect my environment?
These bugs allow programs to “leak” or steal data as that data is processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to obtain data stored in the memory of other running programs. This might include business-critical documents, as well as your passwords stored in a password manager or browser, your personal photos, emails and instant messages. Meltdown and Spectre can operate in business and personal computers, mobile devices, and in the cloud. They can be particularly dangerous when a single device is shared between users. And in the cloud these vulnerabilities could allow one tenant to peer into the data of another co-hosted tenant.
Can I detect if someone has exploited Meltdown or Spectre against me?
At this time, many experts believe the exploitation does not leave any traces in traditional log files.
Published Thursday, Jan. 4
Like others in the industry, TierPoint is taking seriously the recently disclosed processor security vulnerabilities, commonly referred to as “Spectre” and “Meltdown.” We are working to address this as quickly as possible, in close coordination with our expert partners and vendors, for the benefit of our mutual customers.