A message to our customers about the Meltdown and Spectre vulnerabilities
January 5, 2018
By Jim Hoover, Infor Chief Information Security Officer
This week, the world became aware of two major vulnerabilities, “Meltdown” and “Spectre,” that impact a large majority of computer processors. The vulnerabilities were discovered in late 2017 by teams of researchers who alerted major processor makers such as Intel, AMD, and ARM. The vulnerabilities that have been identified are fundamental designs within the chip architectures and must be addressed at the OS level on every system.
Because Infor software runs mission-critical functions for our customers, we work tirelessly to maintain the highest levels of security and uptime. We deploy “defense in depth” measures, which means we use multiple layers of security that protect customer data even if one layer is breached via a vulnerability such as Meltdown.
For our customers where the use of our software/applications is in their own environment or a non-Infor environment, we highly recommend you apply the recommended patches as soon as practical. As always, we recommend customers do not place sensitive data into our Help Desk environments, including Infor Xtreme.
For customers using our SaaS environments, Infor is working with our partners Amazon Web Services (AWS) and Google Compute Platform (GCP) to ensure your information is fully protected. All environments have been patched by AWS and GCP at the hypervisor level, and Infor is working on patching at the OS level as patches are made available. To that end, Infor may need to schedule maintenance that goes beyond what you had experienced in the past to perform patches on every SaaS environment to ensure full protection against this threat. Note the urgency of these patches will limit the ability for our customers to refuse to accept some maintenance windows.
We have prepared the following FAQ for customers.
Is Infor impacted by CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754?
As with most organizations, Infor is impacted and is actively addressing.
Is Infor’s IaaS impacted?
Infor utilizes the AWS and Google Compute Platform (GCP) environment as our IaaS providers, and they have finished addressing the issues in all Amazon EC2 and GCP instances.
More information about how AWS is addressing the issue can be found here: https://aws.amazon.com/security/security-bulletins/.
Google stated the following: “GCP has already been updated to prevent all known vulnerabilities.”
Are any Infor customers currently exposed to this issue?
Infor is taking urgent action to address these vulnerabilities. Customers should expect maintenance window requests that they wouldn’t have seen in the past. Customers are also reminded that urgent security patches to address critical vulnerabilities should be expected in the world’s current threat landscape, and that security is paramount.
What is Infor doing to protect customers?
Customer security is Infor’s top priority, and Infor utilizes “defense in depth” measures in constructing systems to limit damage that could occur by exploiting a single vulnerability. Infor has implemented multiple layers of security controls to protect customers from this attack that requires an exploit to run locally on the target system.
Has this issue been exploited?
We are not aware of any exploits at Infor.
Are there any customer actions required?
Yes, for on-premise customers. Those customers should patch their systems as soon as practical.
When Infor applies the updates, or customers apply the operating system patches, will there be performance impact?
Infor doesn’t expect meaningful performance impacts for most customers. However, we are monitoring our SaaS solutions, and if any performance impact is noted, Infor will address to insure we continue to meet reasonable and contractual requirements.
What are next steps?
For SaaS customers, as patches are made available by operating system and other vendors (e.g., Microsoft, RedHat, etc.), Infor Cloud Operations & Customer Success Teams will be providing communications around the specific scheduling and maintenance windows to apply them.