We are pleased to announce that IronWorks is protected against these exploits.
Security Advisory: Meltdown and Spectre
Introduction
Meltdown and Spectre exploit critical vulnerabilities in modern processors (CPUs). These hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud.
Summary
These vulnerabilities allow a rogue program to access memory data belonging to other processes, users, or even customers, running on the same physical machine. These issues were made public on the 3rd January, 2018.
Further information on the attacks can be found here:
https://spectreattack.com/
Common Vulnerability and Exposures (CVE) references
Meltdown:
CVE-2017-5754: Speculative execution permission faults handling
Spectre:
CVE-2017-5753: Bounds check Bypass
CVE-2017-5715: Speculative execution branch target injection
Status
The IronWorks platform is built on Docker containers, co-ordinated through the Kubernetes Kops management and co-ordination tool, and hosted on AWS EC2 servers in Amazon's London datacentres.
Amazon EC2 has been patched and is protected against these vulnerabilities. The AWS advisory can be found here: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
Kubernetes Kops will be patched as soon as the new Linux kernel patches are released. Although not necessary for mitigation purposes (achieved through AWS changes above), we will be upgrading Kubernetes to this new release when it becomes available. Details on development progress here: https://github.com/kubernetes/kops/issues/4188
Docker containers by their very design do not require updating as they are immune from these attacks.
Bridgeway will continue to monitor this situation in coming days as further information and patches become available.
To keep abreast of any changes, or for further information, please visit our dedicated blog post: https://www.bridgeway.co.uk/blog/meltdown-and-spectre-update
