Vertiv Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Security Bulletin: 
Processor Speculative Execution Vulnerabilities in Vertiv products

Updated: 12-Jan 2018

Summary

The Vertiv security team is actively engaged with security research community to monitor for specific threats, partner with vendors for potential solutions, and mitigate the potential impact of security vulnerabilities to our customers and products. Over the past week, there has been significant press on two hardware based vulnerabilities that affect a large portion of modern processors, including those from Intel, AMD, and ARM-based suppliers. The root of the vulnerability is that modern processors employ speculative execution features to increase overall CPU performance.  Researchers have discovered a flaw in these mechanisms that can allow unauthorized access to the CPU data cache and leak the resulting information contained within. As with any potential security issue, we are actively working through the impact of these vulnerabilities and will be updating products that are susceptible.

Please use the following links for additional technical information on the specific threats CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Below is our current assessment and status. We will be actively updating this information as we have more information.

Impact

Products that we believe are not directly impacted:

  • UMG 2000/4000: Vertiv believes that currently supported versions of UMG 2000 are not impacted by the presently known variants of these issues.
  • ACS 6000: Vertiv believes that currently supported versions of ACS 6000 are not impacted by the presently known variants of these issues.
  • ACS 8/16/48: Vertiv believes that currently supported versions of ACS 8/16/48 are not impacted by the presently known variants of these issues.
  • MergePoint Unity: Vertiv believes that currently supported versions of MergePoint Unity are not impacted by the presently known variants of these issues.
  • Autoview KVM switches: Vertiv believes that currently supported versions of Autoview KVM switches are not impacted by the presently known variants of these issues.
  • IntelliSlot Unity cards: Vertiv believes that currently supported versions of IntelliSlot Unity cards are not impacted by the presently known variants of these issues.
  • RPC2 Communication Modules; Vertiv believes that currently supported versions of RPC2 Communication Modules are not impacted by the presently known variants of these issues.
  • iCOM Control boards: Vertiv believes that currently supported versions of iCOM Control boards are not impacted by the presently known variants of these issues.
  • Vertiv RDU family:  Vertiv believes that currently supported versions of the RDU family of products are not impacted by the presently known variants of these issues.

 

Products that may require Third Party updates:

  • Trellis: Vertiv believes that currently supported versions of Trellis are not impacted by the presently known variants of these issues.  However, is it likely the underlying operating system, drivers, and firmware may require security updates.  Vertiv strongly recommends customers contact their operating system and hardware vendors for applicable updates.
  • DSView: Vertiv believes that currently supported versions of Trellis are not impacted by the presently known variants of these issues.  However, is it likely the underlying operating system, drivers, and firmware may require security updates.  Vertiv strongly recommends customers contact their operating system and hardware vendors for applicable updates.
  • Aperture: Vertiv believes that currently supported versions of Trellis are not impacted by the presently known variants of these issues.  However, is it likely the underlying operating system, drivers, and firmware may require security updates.  Vertiv strongly recommends customers contact their operating system and hardware vendors for applicable updates.
  • iCOM-S: Vertiv believes that currently supported versions of iCOM-S are not impacted by the presently known variants of these issues.  However, is it likely the underlying operating system, drivers, and firmware may require security updates.  Vertiv strongly recommends customers contact their operating system and hardware vendors for applicable updates.

 

 Products currently under impact investigation:

  • Vertiv AC/DC power solutions

 

Products that are impacted:

  • UMG 6000: The UMG 6000 employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
  • ACS 800: The ACS 800 employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
  • ACS 8000: The ACS 8000 employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
  • Global HMI: The Global HMI employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
  • IoT Gateway: The IoT Gateway employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
  • iCOM Color displays:  The iCOM Color displays employ CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.  Additionally, the iCOM Color displays take measures to prevent execution of non-supported code, mitigating the issue.
  • iCOM-CMS:  The iCOM-CMS employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.  Additionally, the iCOM-CMS takes measures to prevent execution of non-supported code, mitigating the issue.

 

What is Vertiv doing to address impacted offerings

 Vertiv is notifying its customers of these potential security issues and actively deploying updates to affected products as the patches are made available from the processor vendors.




;