You would have to be living under a rock not to have heard about the latest class of security vulnerabilities that have been found. These are known by the catchy names of Meltdown and Spectre. Now those of you who know me (and my love of patching servers) will be forgiven if you think this is going to turn into a “I told you so lecture” or why you will burn in hell for not putting the latest PTF’s on your server.
If you fall into that camp, prepare to be shocked, if not, the same advice applies. CALM the PTF down!
Truly, there is no need to get alarmed at this point, I can’t resist punning, but my advice right now is literally
“Don’t have a Meltdown over Spectre” or as Douglas Adams succinctly put it “Don’t Panic”.
Before we go any further, let me remind you as I write this, no one has found ANY EVIDENCE of Spectre or Meltdown actually being used in the real world! They should be taken seriously however and one day I feel sure that they will be used to hack a system somewhere.
We IBM i Users are Blessed
Before we get into the detail, the main reason that IBM i users don’t really have to worry about Meltdown and Spectre is that both of these vulnerabilities rely on you introducing malware onto your server in order to spy on other tasks running on your server.
Think about it, how likely is it that you are going to download some random code and run it on your IBM i box? This is really what separates it from the Windows, Mac, Linux and Android guys, nearly all of them rely on frequent downloads of software from a variety of sources. Whereas we and our namesake iOS are much more selective about where we get our code from. – Dear reader, please feel free to engage smug mode when talking to other IT folk who are not as lucky as us.
Allow me a Caveat
All that said, if you run your IBM i server in the Cloud on a multi LPAR server where not all the LPAR’s are yours or on a multi LPAR system of your own where some of the LPAR’s are running AIX or Linux then I really would suggest you get every LPAR and the server firmware patched ASAP.
What the Heck is Meltdown ?
Let’s start with Meltdown as this right now is easier to exploit but thankfully easier to fix. It’s official vulnerability reference is CVE-2017-5754.
Put simply, Meltdown is a way that a program can take a peek at another program’s (including the Operating System) data, just a tiny fragment in a low-level system cache. It has no way of knowing what it is, how it got there or who it belongs to but nevertheless this is a major embarrassment to all concerned and fixing it is a mere single PTF with no expected performance impact.
What the Speck is Spectre?
Spectre is made up of two variants, v1- CVE-2017-5754 and v2 CVE-2017-5715; this tells you a huge amount about the security industry. Only here would you name something variant 2 when variant 1 was registered 39 vulnerabilities later.
Put simply, our modern processors are so much faster than anything else inside our computers, seriously even RAM looks like a snail to a processor. So those clever chip designers thought we can’t be waiting all the time for the rest of the computer to catch up, so if there is are several possible answers to what we are currently being asked to do we will work out all of them and then when we find out what the question actually is we will already know the answer.
Imagine Auto Correct on your smartphone figuring out every likely word in a sentence as soon as you type the first letter and you are not far off the insane, mind-numbing feature that Speculative Execution does when you are scratching your head over what to type next.
What PTF’s do you need
Patching Meltdown is just one PTF but Spectre requires multiple PTF’s and firmware and right now IBM has only created the firmware for POWER7+ and POWER8 boxes.
You can get the latest PTF guidance from this link:
At the time this article is written you require the following PTF’s for IBM i
7.1 – MF64571
7.2 – MF64565
7.3 – MF64568
POWER7+ Firmware – FW770.91
POWER8 Firmware – FW860.42
What to do next?
Well, to be honest, it’s business as usual. By that I mean these patches have been rolled into the cumulative updates so if you are one of my favourites, then you will be applying your patches at least twice a year and you’ll soon be adding these protective fixes as well as many others that secure and improve your systems.
Nice to see you
Come and join us and our shiny new logo in 2018. We have two more events lined up for you. These are a must if you are thinking of doing something about GDPR. The first event is on Thursday 22nd February – Norton Grange Hotel Rochdale and will be repeated on Thursday 8th March – IBM Client Centre, Southbank, London.
More details and a booking form are available at our website www.i-ug.co.uk