Our Response to Meltdown and Spectre

To All Contegix Customers,

Contegix would like to address computer vulnerabilities named Meltdown and Spectre that have been in the news recently and detail the steps we are taking to protect your environments. Computer hardware manufacturers and other core industry parties were informed of these vulnerabilities in November 2017 and have been working to address them. The researchers and software developers had agreed to go public with notifications on both flaws and the fixes on January 9th, but the vulnerabilities were revealed early and software developers are now rushing to release updates to address these vulnerabilities. The problems are hardware related, but can be corrected using software updates via operating system packages.

Both Meltdown and Spectre allow information in the working memory to be read by another unauthorized process. You can read more here, https://spectreattack.com/ and https://meltdownattack.com/.  Fortunately, taking advantage of these flaws is extremely difficult. They cannot be used to take control of a device, only read information. It also has to be done on the local machine, as it cannot be done remotely. If a malicious actor wanted to take advantage of these flaws, they would have to break into a computer, install an application, record information on that computer, and then access that information through some other method. It can only be used to read information that is being processed and they would not be able to browse stored data and select what they wanted to see. Encryption in transit of data also removes the threat of these vulnerabilities.

Contegix is currently working to apply patches to all customers as quickly as they become available. Since software developers have been working on this issue for the last few months, some existing patches included fixes which the providers did not publicize. Additional patches are being released by operating system developers such as Canonical and RedHat to address these vulnerabilities. Contegix is currently securing our infrastructure and clouds over the next 48 hours in a manner that will result in no downtime to customer platforms. Additionally, there will be patches that will need to be applied to your individual servers, and in some cases, that will involve scheduling downtime via the Contegix Operations team. Those communications will be worked in conjunction with customers on an individual basis to accomplish these updates.

If you wish to have updates applied to your environment immediately, please open a support ticket and reference this communication. The Contegix Operations team will then work with you directly to patch your systems as quickly as possible. You can also call 877.289.0395 to speak to a support engineer if you have more questions.

Thank you for your patience as we work to protect you and your services to others.

Contegix Security Team