Meltdown and Spectre

Towards the end of last year, two new IT security threats, “Meltdown“ and “Spectre“ emerged. In this special email bulletin, we would like to address how these may affect you, and in particular, your jtel System.

How do the exploits work?

Meltdown and Spectre are based on weaknesses in modern CPUs. They work by enabling malicious code to access memory and data belonging to other processes running on the system. Potentially, this memory could contain sensitive information.

Both threats affect all systems which use Intel CPUs. According to current knowledge, an attacker must gain shell access to the system to exploit either Meltdown or Spectre. However, it is not necessary to have root access – a fact which makes these threats all the more dangerous. Please note that shell access to systems can be gained by many means – for example by using a web application which, in turn, uses PHP or CGI.

Is my jtel System affected?

Currently, we believe that you should not be concerned.

The only application which is usually accessible to the outside world in a well-protected jtel Installation is the webserver / loadbalancer. Neither the jtel Web Application nor the load balancer uses any technology in the software stack which allows either of these vulnerabilities to be used maliciously, since the web application does not use shell access to provide any functionality.

So, unless you are worried that your jtel System might be attacked from within your network, you need not be concerned now.

Am I affected at all?

In short, yes. Some of the IT systems you are running will be affected in some way. How dangerous it is will depend on the systems and software themselves, and how accessible these are to the outside world.

Can I have my systems patched right now please?

As previously stated, we do not believe that either Meltdown or Spectre can be used to exploit your jtel System. Accordingly, we have no plans to patch any systems at this time.

For systems where work is planned (new installations or software updates):

The next time work is scheduled on your jtel system, we will arrange to patch the operating system at the same time. Please note, that we will need your assistance here, to create the necessary backups / snapshots.

If you want a patch earlier:

Please contact us and we will be glad to provide you with an offer and arrange an appointment to apply all current operating system patches to your system.

Where can I learn more?

https://meltdownattack.com/
https://www.heise.de/newsticker/meldung/Analyse-zur-Prozessorluecke-Meltdown-und-Spectre-sind-ein-Security-Supergau-3935124.html?seite=all