Information supplied by Robert Hawk and the xMatters Privacy-Security-Risk Management Office.
The xMatters Privacy-Security-Risk Management Office is currently investigating the recently identified vulnerabilities known as "Meltdown and Spectre" (CVE-2017-5753 and CVE-2017-5715; CVE-2017-5754).
Please refer to the attached document for the official statement; we will update this article as the investigation progresses and more information becomes available.
For more information about the vulnerabilities, visit the official page hosted by Graz University of Technology here: https://meltdownattack.com
March 19, 2018: Official comment from the xMatters Privacy-Security-Risk Management Office:
Patching against Specter and Meltdown must be conducted in a manner designed to prevent disruption or destruction of xMatters infrastructure, while providing safe services to our clients. The xMatters cloud-based Software-as-a-Service (SaaS) is a fully managed service, and has patched against Specter and Meltdown using a risk-based approach and is safe from attack vectors.
xMatters conducted full hardware and software patching in its corporate information technology environment but, due to the velocity at which the patches were created, also experienced disastrous consequences. Several Windows workstations were experiencing critical fault crashes after an intermix of BIOS and operating system patches. For this reason, xMatters patched all relevant operating systems, rather than patching at a hardware level (i.e., BIOS).
By conducting internal security testing, xMatters has tested for any remaining attack vectors and has found none. The xMatters SaaS is a Java-based application and none of its code, components, messages, or web-based interface commands interact with the software or the hardware in a way that exposes them to the hardware-level risks or issues presented by Specter and Meltdown.
xMatters is continuing to handle these vulnerabilities at the hardware level and the service will be fully patched the end of 2018, using a strategy that minimizes any potentially catastrophic downtime for its clients. Our primary concern remains establishing complete client safety from Specter and Meltdown, and that has been achieved.
- January 4, 2018: Initial release.
- January 5, 2018: Security Advisory document (attached) updated with results of internal investigation.
- March 19, 2018: Added official comment from Security Office.