VN 2018-002 (CVE-2017-5754 - Meltdown)
- Article Type:
- Vulnerability Notice
- Article Number:
- Last Modified:
"Meltdown" is an attack that exploits a flaw in the speculative execution implementation of many widely used processors to allow an unprivileged user program to examine arbitrary physical memory addresses.
In its most widely publicized form, Meltdown is demonstrated to read arbitrary kernel space memory from a user process through local execution of a crafted user space program that targets kernel memory addresses known to contain desired data.
Extreme products utilize a number of different processor architectures, some of which contain the Meltdown vulnerability. Extreme products that do not provide a mechanism to execute third-party code are not exposed to Meltdown exploits provided other unauthorized means are not employed to gain privileged access to the system to install code. Extreme products that offer a mechanism to execute third-party code are being assessed to determine the scope of exposure and available mitigations.
Extreme products deployed in virtual environments may be exposed to Meltdown if the hosting environment is vulnerable.
Extreme continues to monitor and evaluate upstream vendor processor microcode and software updates. Patches or other mitigations may be deployed in future software updates.See also: https://meltdownattack.com/, https://www.kb.cert.org/vuls/id/584653
Products Potentially Affected
Extreme products not explicitly identified above are under investigation.
Customers of Extreme products that provide a mechanism to execute third-party code are urged to exercise care in evaluating and authenticating any applications deployed on the Extreme platform.
Customers that deploy Extreme products in virtual environments are reminded to harden their virtual environment and install all security updates.
Customers are reminded to observe all security best practices in configuration of their systems to reduce exposure to unauthorized access.
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.