HiveManager NG VM Spectre / Meltdown patch?

  • 1
  • Question
  • Updated 4 months ago
Since the issue with the Spectre and Meltdown vulnerabilities have been known to hard- and software manufacturers for more than half a year, can you tell us when a patch for the meltdown/spectre vulnerabilities will be deployed for the VM editions of Hive Manager?

I would expect that the cloud services have already been patched, at least to isolate the clients from each other (VMware has apparently incorporated fixes in a patch released around December 19th).

Can you tell us though when the fixes to the underlying OS will be rolled out?
Since we are running a security-critical environment here we have been told to shut down all machines without a security fix in a given timeframe. That would mean no wireless network if we had to shut down our local Hive Manager.
We have to present at least a date to management and our security auditors.
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes

Posted 4 months ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Tobias,
Just to check - you have seen the Aerohive security advisory?
https://www.aerohive.com/support/security-center/product-security-announcement-aerohives-response-to...
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Thanks Carsten, I could not find any notice in my inbox that could've alerted me to this.
The statements made in that announcement are mostly coherent with what I would assume, and it is nice to hear that the VM patches for the cloud environment have already been rolled out.

I do no fully agree with the sentiment about the HM on-premises though, shutting down several ways of access will make it more secure - yes. But there are still non-proprietary connections open to the outside which might pose a slight risk (if ever so minimal), and we've seen quite a handful of interesting and creative attacks already if people could get access to a machine.
There are patches for all major *nix distributions on the way, they should still be implemented and a timeframe for the implementation would be very nice.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Tobias,

The underlying CentOS will be maintained via the normal release cadence. There is no justification for an out-of-band patch as this is not exploitable for the reasons that are set out in the advisory.

To explain this better, code execution is necessary to make use of Meltdown or Spectre, but in HiveManager it offers no advantage as you would already have had to achieve code execution.

Thanks,

Nick
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Thanks Nick :) 
Will forward this to our security auditors, hope they are as satisfied with this answer as I am ^^
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Tobias,
Nick asked me to jump in, but he and Carsten have already made most of the points I would have.

Our HMOL and HiveManager-NG cloud farms are and were protected immediately after news of these vulnerabilities was published (the advantage of using a Tier1 world-wide web services provider is they often get advanced notice and can roll out patches in an automated manner) so any Aerohive customers were protected against other VMs or application sharing the host computers from causing harm).  Since these are closed systems preventing people from installing their own applications, we do not believe any of our customers could have compromised other cloud customers.

Our on-premises management systems are also closed systems -- we do not generally allow the installation of third-party applications on the same host. Since both of these issues are related to executing malicious code on the same host, we do not see any urgency in rushing out un-tested underlying OS updates. 

My day-job is the PLM for HiveOS not the management systems, but I know they are reviewing the changes to address these issues and their impact on systems performance. 
Photo of Tobias Protz

Tobias Protz

  • 61 Posts
  • 11 Reply Likes
Again, thanks a lot :)
I happen to work in an environment where security is taken extremely strict, we all in the IT dept. are expected to react within a days notice if any new security flaws are reported that could affect our systems. (another reason why we are running on-prem, not allowed to use cloud services here)
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hint to Aerohive: It would be great if you could enable a mailing list or RSS feed for new Security announcements :-)
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
(message received, and I HAVE BEEN trying to get an opt-in mail list for longer than you would believe. You would laugh and cry at how much effort goes into just getting cross-divisional approval for the security advisories and getting them published -- some groups responsible for customer communications are very protective of their turf, others want to "protect" the company and soften the language I use in the advisories to the point where they become mush, etc.  Honestly, tho, I never considered enabling RSS for those pages and that may be easier to achieve)
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Thanks Mike!

Another way could be to post the link to Security announcements here on Hivenation, as soon as they are available. Ideally in a dedicated category. This way anyone can already configure their Hivenation account to receive email notifications if a new post is available in that category.

Not the most elegant, but it does the job and is probably much quicker to implement than anything else...
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Carsten,

Have you seen: https://visualping.io/

Cheers,

Nick
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Oh... thanks!!