Summary

Many modern processors are susceptible to a group of vulnerabilities which are referred to as Meltdown and Spectre. These vulnerabilities allow unprivileged attackers to abuse CPU data cache timing to leak information out of speculated execution, potentially leading to the arbitrary read of virtual memory across local security boundaries via targeted attacks. This advisory will be updated as additional information becomes available.

Impact

Successful exploitation of these vulnerabilities allows unprivileged attackers to abuse CPU data cache timing to leak information out of speculated execution, potentially leading to the arbitrary read of virtual memory across local security boundaries via targeted attacks. These attacks require the ability to run malicious code directly on the target system.



ONTAP:

Unlike a general-purpose operating system, ONTAP does not provide mechanisms for non-administrative users to run third-party code. Due to this behavior, ONTAP is not affected by either the Spectre or Meltdown attacks. The same is true of all ONTAP variants including both ONTAP running on FAS/AFF hardware as well as virtualized ONTAP products such as ONTAP Select and ONTAP Cloud.



While ONTAP Select and ONTAP Cloud are not directly affected by these attacks, these attacks may be possible against the utilized hypervisor platform. NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform.



StorageGRID:

StorageGRID and StorageGRID Webscale do not provide mechanisms for running unprivileged third-party code and are not directly affected. For virtualized deployments, NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform. For Docker-based deployments, NetApp recommends working with your operating system and hardware vendors to ensure that your NetApp product is running on a secure and patched platform.



NetApp HCI Storage Nodes:

Unlike a general-purpose operating system, Element OS is a closed system that does not provide mechanisms for running third-party code. Due to this behavior, Element OS running on SolidFire or NetApp HCI Storage nodes is not affected by either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system.



SANtricity:

Unlike a general-purpose operating system, SANtricity does not provide mechanisms for running third-party code. Due to this behavior, SANtricity is not affected by either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system.



OnCommand Unified Manager for VMware vSphere:

OnCommand Unified Manager for VMware vSphere packages Unified Manager into a VMware hypervisor environment and does not provide mechanisms for non-administrative users to run third-party code on the hypervisor. Due to this behavior, OnCommand Unified Manager for VMware vSphere is not affected by either the Spectre or Meltdown attacks.



While OnCommand Unified Manager for VMware vSphere is not directly affected by these attacks, these attacks may be possible against the utilized hypervisor platform. NetApp recommends working with your hypervisor and cloud platform vendors to ensure that your NetApp product is running on a secure and patched platform.



Brocade Advisory:

http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2018-522.htm



FAS/AFF System Firmware (BIOS):

FAS/AFF BIOS firmware does not provide a mechanism to run arbitrary code and thus is not susceptible to either the Spectre or Meltdown attacks.



NetApp HCI Compute Node (Bootstrap OS):

NetApp HCI Compute Node is tracked as affected with remediation by customer installation of ESXi patches and microcode updates from VMware detailed in KB 52245.



NetApp SolidFire & HCI Management Node:

The NetApp SolidFire Element OS Management Node provides console access for end users and therefore it is tracked as affected. The underlying hypervisor infrastructure should be patched by customer installation of ESXi patches and microcode updates. Customers running whitebox server should consult the manufacturer for microcode availability.

Vulnerability Scoring Details

Exploitation and Public Announcements

NetApp is aware of public discussion of this vulnerability.

References