On January 3rd, 2018, security researchers disclosed multiple vulnerabilities that affect Intel, AMD, ARM and other CPU architectures. The vulnerabilities can allow an attacker with local user access to read normally protected memory and access sensitive information because of flaws with speculative execution. The discoverers branded these issues as the Meltdown and Spectre attacks (CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715).

As reported, exploitation of these vulnerabilities requires the ability for an attacker to execute code locally on an affected system, which limits the risk and exposure.

Operating system, web browser, and hardware vendors have released and/or are working on mitigations for these vulnerabilities. CA Technologies recommends that customers follow operating system vendor guidance for patching, and an understanding of how the fixes might affect performance. As a best practice, we recommend that any significant patches for critical systems first be applied to a test environment.

If complications running CA Technologies software on a supported and patched operating system occur, please open a CA Support Ticket.

CA SaaS Offerings:

All CA SaaS services have undergone an initial analysis to identify any impact from the Meltdown and Spectre exploits. We continue to work with our partners to ensure all patches and security updates are applied when available during the next maintenance window.

CA SaaS implements a defense in depth approach to the security of our environments which mitigates the impact of any one vulnerability. We leverage strong authentication, privileged access management, vulnerability and patch management, segmentation, and security monitoring to prevent or detect any malicious activity.

We appreciate your support and understanding as we complete our corrective action plans to ensure the stability and security of your service.

CA Products on IBM Z:

CA Technologies continues to review its products that run on IBM Z for potential impact related to these vulnerabilities. However, based on our initial review, we believe that any vulnerabilities that may exist would be addressed by applying operating system and/or firmware updates as necessary.  We recommend that customers:      

• Monitor, review and follow the provided mitigation advice in IBM bulletin C-IBM-zSeries: SN-2018-001 available at the IBM Z Systems integrity portal
• Monitor the CA Technologies Support portal for product specific updates
• Stay current with your CA Technologies software maintenance
• Stay current with all other available vendor operating system software maintenance

References:

https://meltdownattack.com/

https://spectreattack.com/

https://www.kb.cert.org/vuls/id/584653

https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with-side.html

CVE-2017-5754, CVE-2017-5753, CVE-2017-5715

Red Hat Linux: https://access.redhat.com/security/vulnerabilities/speculativeexecution

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002