News

(Updated 2018/11/26)Announcement about CPU vulnerability (CVE-2017-5754 (Meltdown) / CVE-2017-5715 and CVE-2017-5753 (Spectre))


[2018/11/26]Updated information about Enterprise Cloud 2.0 service

[2018/11/12]Updated information on FAQ about Enterprise Cloud 2.0 service

[2018/8/2] Updated status about Enterprise Cloud service

[2018/5/17] Updated status about Enterprise Cloud 2.0 service

[2018/4/13] Updated status about Enterprise Cloud 2.0 service infrastructure

This is an important notification for Enterprise Cloud 1.0 and 2.0 Services re: security vulnerabilities – CVE-2017-5754 (Meltdown) and CVE-2017-5715 & CVE-2017-5753 (Spectre). Here is our current status on mitigating these security risks.

 

Solution

In order to mitigate this risk, software update is required for Service Infrastructure and Customer OS and Hypervisor.

Service infrastructureCustomer OS and Hypervisor
CVE-2017-5754(Meltdown)It is confirmed that we have completed all required update for Service Infrastructure.For customer environment, update needs to be performed by customers.  We recommend applying the patches provided by software vendors on customer OS and hypervisors to mitigate the security risks found in their environment.  Customer should also plan applying patches when they create own servers from Private Catalog or image storage area.

Also, software update is available for web browsers and applications.  We recommend customer to check the latest information provided by vendors, and try to keep your application updated as needed.

The customer using Baremetal servers needs to update the firmware by themselves.  We are currently waiting for vendors to provide firmware patches and procedures for required preventative actions.  We will provide further information once firmware update procedure is confirmed.  There is no need to update firmware for Virtual Server service.

CVE-2017-5715,

CVE-2017-5753(Spectre)

We are currently working with vendors to review and test the update required for mitigating these security vulnerabilities.  We will provide notification in advance to customers if the update maintenance would affect the service and customer resources.*1For customer environment, update needs to be performed by customers.  We recommend applying the patches provided by software vendors on customer OS and hypervisors to mitigate the security risks found in their environment.  Customer should also plan applying patches when they create own servers from Private Catalog or image storage area.

Also, software update is available for web browsers and applications.  We recommend customer to check the latest information provided by vendors, and try to keep your application updated as needed.

The customer using Baremetal servers needs to update the firmware by themselves.  We are currently waiting for vendors to provide firmware patches and procedures for required preventative actions.  We will provide further information once firmware update procedure is confirmed.  There is no need to update firmware for Virtual Server service.

*1 Update about Service infrastructure of Enterprise Cloud Virtual Server(2018/11/26Updated)

Enterprise

Cloud1.0

We are progressing the service infrastructure response sequentially. It is expected that the response to alleviate vulnerability as the following schedule;

– Datacenters in Japan; Yokohama 1st, Kansai 1 (including Kansai 1a) and Saitama 1st data center

 Completed response to alleviate vulnerabilities in July 2018, however in order to reduce further influence,

 we plan to continue   upgrading the version until about December 2018.

– Other datacenters; Expected to complete to alleviate vulnerabilities in February 2019

In order to make vulnerability mitigation correspondence effective, it is necessary to stop / start VM after corresponding on the service infrastructure side. In addiction, some customers need to upgrade the hardware version of the VM.

After completion of service iinfrastructure of each data centers, the function to update hardware version will be enabled, and notification e-mail will be sent to users of the data center.

VM is needed to stop/start and update of hardware version by customer side.

To update of hardware version, please refer to the procedure here

Enterprise

Cloud 2.0

1.Service infrastructure
Hypervisor hosts for Red Hat Enterprise Linux and Windows Server 2016 VMs

We completed to mitigate the vulnerability on all hypervisor hosts in all areas except to SG1 and HK1.

We are continuously working to the remain hosts for mitigation in SG1 and HK1.

.Hypervisor hosts for all VMs except Red Hat Enterprise Linux and Windows Server 2016 VMs
(including firewall, load balancer and network-based security)

We start to mitigate from August.

Response to mitigate the vulnerability on all hypervisor hosts is expected to be completed as the following schedule;

 – JP3, JP4, JP5: Completed

– Other areas: Scheduled to complete since 2019

 

2.Impact on performance

Impact on performance regarding to VM

Customers may not find any impact on performance by the mitigation to hypervisor hosts, however, customer might find some impact on performance after deploying the patch to Guest OS. Customers can refer to the result of Unixbench tests about before/after vulnerability mitigation to hypervisor and patch application to Guest OS .

“What actions NTT Com took for CPU vulnerability(CVE-2017-5715 and CVE-2017-5753(Spectre) ) ? “

https://ecl.ntt.com/en/faq/2.0/virtual-server-81/

[2018/11/9] Updated information about impact on performance

 

Impact on performance regarding to Firewall and Load balancer

Please refer to the following page for performance measurement results of firewall and load balancer after the service infrastructure correspondence.

(reference)Performance measurement result of firewall

https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/performance.html

(reference)Performance measurement result of load balancer

https://ecl.ntt.com/en/documents/tutorials/rsts/LoadBalancer/netscaler-vpx/performance.html

Thank you for understanding and we appreciate your business with us.