Access Manager and Meltdown / Spectre vulnerabilities (CVE-2017-5754, CVE-2017-5715 and CVE-2017-5753)

  • 7022531
  • 10-Jan-2018
  • 12-Mar-2018

Environment


Access Manager 4.4
Access Manager 4.3
Access Gateway Appliance
Access Manager Appliance
CVE-2017-5754 - Meltdown vulnerability
CVE-2017-5753 and CVE-2017-5715 - Spectre vulnerability

Situation

The recently reported Meltdown and Spectre vulnerabilities are used to exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processes on the computer. While programs are typically not allowed to read data from other programs, a malicious program can exploit Meltdown and Spectre to obtain access to the protected memory of other processes running on the vulnerable physical or virtual host.

Although most Access Manager components ships a number of Web based applications that are not susceptible to these vulnerabilities, the applications run on operating systems that are vulnerable and will need to be patched. Access Manager also includes the Access Gateway Appliance and Access Manager Appliance that ship with the SLES11 SP4 operating system and must also be patched.

Resolution

Make sure that the Access Gateway or Access Manager Appliance update channels are setup and that the latest updates have been applied. The following RPM packages exist in the channel that address these two vulnerabilities (exact versions may change so general packages below contain updates):

kernel-default-3.0.*.x86_64.rpm                        
microcode_ctl-1.*.x86_64.rpm                          

For Access Manager components installed and running on top of the Windows or RHEL platforms, make sure the updates available from each vendor is applied:

- Microsoft Windows: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
- Red Hat Enterprise Server: https://access.redhat.com/articles/3307751

For the Analytic Server Appliance, one extra step is required assuming the Security Update channel is configured as per https://www.netiq.com/documentation/access-manager-44-appliance/install_upgrade/data/bowu0bx.html#b1lkaxvd.

Running the Security updates will only get the kernel update and not the second microcode_ctl-1.*.x86_64.rpm as it is not installed by default. An extra step will be required to install this by running ‘zypper in –f microcode_ctl-1.*.x86_64.rpm’ from the Analytic Server console.

Status

Security Alert

Additional Information

Some basic performance tests were run in a lab environment with and without the security patches on SLES 12 SP3 to get an idea of the overall impact. With the IDP, performance was very similar with and without the patch. The main difference was seen accessing public pages on the Access Gateway, which is less common setup.

 

Tests

NAM 4.4 without SuSE patches (Transactions per second)

NAM 4.4 with SuSE patches (Transactions per second )

% performance difference

IDP logins with secure name password form

180

170

-5.555555556

IDP Post credentials

280

280

0

PR access with secure name password form

155

155

0

Public page access with SSL ( Single page for each request)

162

130

-19.75308642

Public page access with SSL ( 10 pages for each request)

18.57

15.58

-16.10123856