Posts Spectre/Meltdown Announcement

Mon 8 January 2018

Concerning: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Our security partner, TrustWave has made available the following overview of the vulnerabilities https://www.trustwave.com/Resources/SpiderLabs-Blog/Overview-of-Meltdown-and-Spectre/

CityPay Payment Gateway Infrastructure

CityPay host their network within the AWS cloud and in particular Amazon EC2 instances. Amazon's security bulletin is available from https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ and is updated with the latest information.

From what CityPay understand, there is no known instance-to-instance concerns of the previous CVEs listed. This means that an untrusted neighbour on the physical hardware could not read the memory of another instance or the AWS hypervisor. Amazon state

All instances across the Amazon EC2 fleet are protected from all known instance-to-instance concerns of the CVEs previously listed. Instance-to-instance concerns assume an untrusted neighbor instance could read the memory of another instance or the AWS hypervisor. This issue has been addressed for AWS hypervisors, and no instance can read the memory of another instance, nor can any instance read AWS hypervisor memory. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.

CityPay's servers are running the latest kernels from Ubuntu and as of 4 January we are awaiting kernel updates listed at https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown There is also an announcement from Canonical in relation to the vulnerabilities at https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/ Updates are due for 9/1/18 and will be patched on the next patch window.

Update 10/1/18:

  • CVE-2017-5754 kernel update USN 3522-1, USN 3522-2 has been launched and queued for deployment on 15/1/18.

Update 11/1/18

  • CVE-2017-5715 intel microcode update launched as USN-3531-1 and queued for deployment on 15/1/18

Update 12/1/18

Update 15/1/18

  • All systems are now confirmed as patched to the latest security updates

Terminals and PDQs

We are not aware of any issues related to these standalone devices and as such malware or software exploiting these vulnerabilities cannot be loaded onto the devices.  

+44 (0)1534 884000