Summary: Arcserve is advising all customers to apply all the Meltdown & Spectre related fixes to their operating systems, hypervisors and browsers.
(In the future, this Knowledge Base article will be updated with any Arcserve-specific details, if and when new aspects become available. Last Content review: 2018-01-18)
Typical impact / Analysis :
Meltdown and Spectre are "Information Disclosure" and "Privilege Escalation" types of vulnerabilities in the CPU design. The impact of such issues is critical on shared environments, where some users (with limited permissions) are meant to be limited to only their own private data, but should have no access to other private data on the same system.
Most Arcserve environments are operated by backup administrators – often global administrators – who typically have high privilege and full access to information already.
Most Arcserve implementations (meaning the backup server, an RPS or other Arcserve management systems) are on dedicated & isolated systems, and end users (with limited privileges) would typically NOT have access to these systems to perform any Meltdown / Spectre based attack.
Attention: where Hypervisors like VMware and Hyper-V are used together with Arcserve features like Instant VM / Assured Recovery / Virtual Standby or Full System HA – it is important to patch the target Hypervisors to make sure Arcserve’s restore or test functionality does not become a vector to start Meltdown / Spectre based attacks.
Arcserve has done internal code analysis and is currently not aware of any incompatibility between Arcserve software and Operating System patches – especially not with the API change documented by Microsoft as part of https://support.microsoft.com/en-us/help/4056898/windows-81-update-kb4056898
This was done across all of these:
- Arcserve UDP
- Arcserve Backup
- Arcserve RHA
- Arcserve Archiving
- Arcserve Appliance 7000 / 8000 *
- Arcserve Cloud
- Arcserve Cloud Direct
Arcserve recommends to apply all the Operating System Patches / Firmware Updates (BIOS) / Browser Patches released by respective vendors to overcome the Meltdown / Spectre issue.
With reference to
(i) Arcserve Cloud, all cores (VMs) running Arcserve UDP have been patched with KB4056898.
(ii) Arcserve Cloud Direct, Arcserve has applied Windows updates to the hosts that support Cloud Direct Disaster Recovery
After applying these updates, it is possible to experience small performance drop. Arcserve invites feedback on these performance changes from real world examples.
Arcserve is working on additional content, and will update this Knowledge Base article when new information becomes available
* - we are working closely with our hardware supplier, and are expecting a BIOS update, but there is no ETA yet.