Installation & Configuration

Welcome to the Nutanix NEXT community. To get started please read our short welcome post. Thanks!

cancel
Showing results for 
Search instead for 
Did you mean: 

Meltdown & Spectre Vulnerabilities

SOLVED Go to solution
Scout

Meltdown & Spectre Vulnerabilities

Anyone knows if Meltdown and/or Spectre Vulnerabilities are impacting Nutanix Infastructure?

 

https://spectreattack.com/

 

Thank you,

Tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Nutanix Employee

Re: Meltdown & Spectre Vulnerabilities

Dear Alexander,

 

Please check the Security Advisory #0007 in support portal.

https://portal.nutanix.com/#/page/static/securityAdvisories (Login required)

16 REPLIES
Squire

Re: Meltdown & Spectre Vulnerabilities

Dear Nutanix support,

 

please provide an impact assessment, security advisory and patches at your earliest convenience.

 

Other vendors do this in a timely manner and provide public statements, ideally via US-CERT who handle coordination of this vulnerability:

 

https://www.kb.cert.org/vuls/id/584653

 

Yours, sincerely

 

Alexander List

Nutanix Employee

Re: Meltdown & Spectre Vulnerabilities

Dear Alexander,

 

Please check the Security Advisory #0007 in support portal.

https://portal.nutanix.com/#/page/static/securityAdvisories (Login required)

Highlighted
Scout

Re: Meltdown & Spectre Vulnerabilities

Thank you for updating us on this matter.

Moderator Moderator
Moderator

Re: Meltdown & Spectre Vulnerabilities

No problem @dstjean

 

We published security advisory #7 on Jan 4th about this.

 

As a side note, if you've got a portal.nutanix.com account (which all customers can sign up for), you can get email updates for all field and security advisories by logging into portal.nutanix.com, clicking on your name in the top right hand corner, then preferences.

 

Here's what my preferences look like (see screenshot below). Click on email for everything you're comfortable with, and you'll get them as they are posted

 

Screenshot 2018-01-08 13.28.24.png 

Jon Kohler | Technical Director, Engineering, Nutanix | Nutanix NPX #003, VCDX #116 | @JonKohler
Please Kudos if useful!
Squire

Re: Meltdown & Spectre Vulnerabilities

It should based on the underlying OS and the CPUs used in most deployments.

Moderator Moderator
Moderator

Re: Meltdown & Spectre Vulnerabilities

There are multiple attack vectors, just in general, and yes its highly to do with both OS and CPU.

 

We go into solid detail in that security advisory and are actively digging in here.

Jon Kohler | Technical Director, Engineering, Nutanix | Nutanix NPX #003, VCDX #116 | @JonKohler
Please Kudos if useful!
Squire

Re: Meltdown & Spectre Vulnerabilities

But that's not public, is it?  How can I, as a potential customer, assess the way you respond to new vulnerabilities like this if you hide the information from non-customers.  I can see when patches land for IBM, Dell, HP, Cisco UCS, Azure, AWS, Google Cloud, but not Nutanix.  Please reconsider your approach, there is no reason to keep patches secret!

Squire

Re: Meltdown & Spectre Vulnerabilities

As a potential customer I get no information about the Nutanix platform.  Why is this hidden in a non-public space??

Moderator Moderator
Moderator

Re: Meltdown & Spectre Vulnerabilities

Thanks for reaching out, good point @paulw_wwf. Certainly nothing intentionally secret here, its simply the way our site is structured.

 

In the interim of making that content searchable, as a potential customer, you're welcome to post on our public forums (which is here) and we're happy to collaborate in front of the whole world, no worries.

 

Or, if you're in content with an account manager, systems engineer, or reseller/partner, you can always ask them and they can route content as appropriate.

 

Anyhow, I've pinged out security team to inquire why that part of the portal is login only, if there is a specific reason, etc

Jon Kohler | Technical Director, Engineering, Nutanix | Nutanix NPX #003, VCDX #116 | @JonKohler
Please Kudos if useful!