CVE-2017-5753/CVE-2017-5715 (Spectre) & CVE-2017-5754 (Meltdown) Vulnerabilities
Updated – 12 December 2018
All Speakerbus products now have protection from these vulnerabilities.
The Windows Operation Systems supported – Windows Server 2008, Windows Server 2012 and Windows Server 2016 – all have Microsoft patches available. These are KB4056897, KB4056898 and KB4056892 respectively and we recommend that they are
Microsoft additionally released patches for all affected SQL Server builds. We also recommend that these are applied.
A new build of the iGS Appliance with the upgraded Centos OS with protection from these vulnerabilities was made generally available 16/02/18. We recommend that customers upgrade to this version V184.108.40.206.
A new build of the iCS Appliance with the upgraded Centos Operating System which has protection from these vulnerabilities was made generally available 25/06/18. We recommend that customers upgrade to this version V2.610.18.0, or a later version. A new build of the iCB Appliance with the upgraded Centos Operating System which has protection from these vulnerabilities was made generally available 22/11/18. We recommend that customers upgrade to this version V1.420.4.0
Updated – 16 February 2018
Speakerbus have been made aware of two serious security flaws in Intel, ARM and AMD microprocessors that may allow sensitive data, such as passwords and crypto-keys, to be stolen from memory. These flaws are known as Spectre and Meltdown.
More information on both vulnerabilities can be found on the official website: https://meltdownattack.com/
Speakerbus confirm that all Server products have some level of exposure to the vulnerabilities.
Those installed on Windows Servers are:
- iManager Centralised Management System (iCMS),
- iManager Call Data Server (iCDS),
- SB 534 GA Server and System Controllers
- Voice Conference Manager (VCM) products.
- ARIA iManager Web Server (iWS)
Those installed on CentOS / Red Hat Servers are:
- iManager Communication Server (iCS)
- iManager Gateway Server (iGS)
- ARIA iManager CloudBase (iCB)
As running in a Virtual Machine does not provide protection from the vulnerabilities, virtual instances of the above, including our Onebox solutions, the S-Series and L-Series, which host some of the above products, are therefore also affected.
The vulnerabilities are primarily exploitable if an external party has access to the Server, or if web browsers on the Server are used to access malicious sites.
Speakerbus have assessed the Microsoft patches for Windows Server 2008 (KB4056897) and Windows Server 2012 (KB4056898) for all the relevant above listed products. The patches have had minimal impact on Server performance resulting in no observable effects on the running solution, therefore we recommend that they are applied to ensure the continued security of the servers. Testing has taken place both on bare metal servers and virtual machines.
Microsoft have additionally released patches for SQL Server builds. Speakerbus have assessed SQL Server 2008 R2 sp3 (KB4057113) and SQL Server 2012 sp3 (KB4057115) in combination with the relevant Speakerbus products (SB534, iCMS and VCM). We also recommend that these are applied.
A new build of the iGS Appliance, available on both CentOS and Red Hat versions, has been created. We recommend that customers upgrade to this version V220.127.116.11.
A further possible exposure is any customer laptops or desktop machines which are used to browse to VCM Manager or iCMS iManager, or to host SB 534 client tools. We continue to recommend these are patched as a priority, if they haven’t been patched already.
We will update this statement with further advice and details on any product releases as more information becomes available.
For further information please contact your regional partner or our service desk. http://www.speakerbus.com/helpdesk/