Encoded Security Advisory Notice
Spectre (CVE-2017-5153 / CVE-2017-5715)
This is a Security Advisory Notice from Encoded, detailing a publicly announced critical vulnerability and outlining Encoded’s risk, mitigations and future actions.
Meltdown and Spectre are exploits which take advantage of critical vulnerabilities affecting the vast majority of modern microprocessors.
These hardware vulnerabilities allow applications to potentially steal data which is currently being processed on the computer. While applications are typically not permitted to read data from other applications, a malicious application can exploit Meltdown and Spectre to get hold of data stored in the memory of other running applications. This might include passwords, personal information, financial information, confidential business documents, or other sensitive information.
Meltdown and Spectre work on almost all personal computers, mobile devices and servers currently in use. Depending on a cloud provider's infrastructure layout, it might even be possible to steal data from other customers.
They require a malicious application to run locally on a computer, either directly or within a virtualized guest or container.
These vulnerabilities have been assigned a CVSS3 Base Score of 8.2 (High) due to their low complexity, lack of privilege requirement and potential high impact.
Encoded has performed a Risk Assessment and has found this vulnerability to be of Medium Likelihood and High Impact to Encoded, with an overall Risk of Moderate.
Our assessment of Medium Likelihood is based in part of the mitigations outlined below.
Encoded owns and operates all of its own infrastructure.
All applications operating within Encoded’s environment are either developed directly by Encoded or sourced directly from RedHat’s official software repositories.
All sensitive information is processed and stored in a segmented network that is not directly accessible from either the public internet or from Encoded’s HQ, and requires multiple levels of authentication for access.
All hosts within Encoded’s environment operate with a Host Intrusion Detection System (HIDS) which notifies immediately should any new application be installed, or if a currently installed/running application is modified.
A moratorium has been placed on any non-security related updates within the environment until appropriate patches have been put in place.
Encoded will immediately begin the process of applying all relevant security patches to all hosts and guests within the environment.
As such, Encoded’s Environment Status will now be considered “At Risk” due to a reduction in the redundancy of clustered services during the maintenance period.
Whilst the majority of this work can be undertaken without interruption to any services, there may be a need to perform some maintenance that does affect services. In these cases, a Maintenance Notification will be sent prior to any work being undertaken and work will be planned for out-of-hours, low-use periods.
If you have any questions or need any further information about this Security Advisory Notice, please contact us via email@example.com
For more information about the vulnerabilities outlined in this Security Advisory Notice, please see the below links: