News

(Updated 2019/2/18)Announcement about CPU vulnerability (CVE-2017-5754 (Meltdown) / CVE-2017-5715 and CVE-2017-5753 (Spectre))


[2019/2/18]Updated information about Enterprise Cloud 2.0 service

[2018/12/25]Update information about Enterprise Cloud 1.0 and Enterprise Cloud 2.0 service.

[2018/11/26]Updated information about Enterprise Cloud 2.0 service

[2018/11/12]Updated information on FAQ about Enterprise Cloud 2.0 service

[2018/8/2] Updated status about Enterprise Cloud service

[2018/5/17] Updated status about Enterprise Cloud 2.0 service

[2018/4/13] Updated status about Enterprise Cloud 2.0 service infrastructure

This is an important notification for Enterprise Cloud 1.0 and 2.0 Services re: security vulnerabilities – CVE-2017-5754 (Meltdown) and CVE-2017-5715 & CVE-2017-5753 (Spectre). Here is our current status on mitigating these security risks.

 

Solution

In order to mitigate this risk, software update is required for Service Infrastructure and Customer OS and Hypervisor.

Service infrastructureCustomer OS and Hypervisor
CVE-2017-5754(Meltdown)It is confirmed that we have completed all required update for Service Infrastructure.For customer environment, update needs to be performed by customers.  We recommend applying the patches provided by software vendors on customer OS and hypervisors to mitigate the security risks found in their environment.  Customer should also plan applying patches when they create own servers from Private Catalog or image storage area.

Also, software update is available for web browsers and applications.  We recommend customer to check the latest information provided by vendors, and try to keep your application updated as needed.

The customer using Baremetal servers needs to update the firmware by themselves.  We are currently waiting for vendors to provide firmware patches and procedures for required preventative actions.  We will provide further information once firmware update procedure is confirmed.  There is no need to update firmware for Virtual Server service.

CVE-2017-5715,

CVE-2017-5753(Spectre)

We are currently working with vendors to review and test the update required for mitigating these security vulnerabilities.  We will provide notification in advance to customers if the update maintenance would affect the service and customer resources.*1For customer environment, update needs to be performed by customers.  We recommend applying the patches provided by software vendors on customer OS and hypervisors to mitigate the security risks found in their environment.  Customer should also plan applying patches when they create own servers from Private Catalog or image storage area.

Also, software update is available for web browsers and applications.  We recommend customer to check the latest information provided by vendors, and try to keep your application updated as needed.

The customer using Baremetal servers needs to update the firmware by themselves.  We are currently waiting for vendors to provide firmware patches and procedures for required preventative actions.  We will provide further information once firmware update procedure is confirmed.  There is no need to update firmware for Virtual Server service.

*1 Update about Service infrastructure of Enterprise Cloud Virtual Server(2019/2/18Updated)

Enterprise

Cloud1.0

We are progressing the service infrastructure response sequentially. It is expected that the response to alleviate vulnerability as the following schedule;

– Datacenters in Japan; Yokohama 1st, Kansai 1 (including Kansai 1a) and Saitama 1st data center

 Completed response to alleviate vulnerabilities in July 2018,and also completed upgrading the version in order to reduce further influence.

– Other datacenters; Complete to alleviate vulnerabilities in UK and France Datecenter in December 2018.

In order to make vulnerability mitigation correspondence effective, it is necessary to stop / start VM after corresponding on the service infrastructure side. In addiction, some customers need to upgrade the hardware version of the VM.

After completion of service infrastructure of each data centers, the function to update hardware version will be enabled, and notification e-mail will be sent to users of the data center.

VM is needed to stop/start and update of hardware version by customer side.

To update of hardware version, please refer to the procedure here

Enterprise

Cloud 2.0

1.Service infrastructure
Hypervisor hosts for Red Hat Enterprise Linux and Windows Server 2016 VMs We completed to mitigate the vulnerability on all hypervisor hosts in all areas.Hypervisor hosts for all VMs except Red Hat Enterprise Linux and Windows Server 2016 VMs
(including firewall, load balancer and network-based security)
We start to mitigate from August.

Response to mitigate the vulnerability on all hypervisor hosts is expected to be completed as the following schedule;

 – JP3, JP4, JP5: Completed

– Other areas: Scheduled to complete since 2019

 

2.Impact on performance

Impact on performance regarding to VM

Customers may not find any impact on performance by the mitigation to hypervisor hosts, however, customer might find some impact on performance after deploying the patch to Guest OS. Customers can refer to the result of Unixbench tests about before/after vulnerability mitigation to hypervisor and patch application to Guest OS .

“What actions NTT Com took for CPU vulnerability(CVE-2017-5715 and CVE-2017-5753(Spectre) ) ? “

https://ecl.ntt.com/en/faq/2.0/virtual-server-81/

[2018/11/9] Updated information about impact on performance

 

Impact on performance regarding to Firewall, Load balancer and Network-Based Security

Please refer to the following page for performance measurement results of firewall, load balancer and Network-Based Security(Managed FW/UTM/WAF ) after the service infrastructure correspondence.

(reference)Performance measurement result of firewall

https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/performance.html

(reference)Performance measurement result of load balancer

https://ecl.ntt.com/en/documents/tutorials/rsts/LoadBalancer/netscaler-vpx/performance.html

(reference)    Performance measurement result of Managed FW/UTM

https://ecl.ntt.com/en/documents/tutorials/security/rsts/security/operation/managed_firewall_utm/8120_performance.html

(reference)   Performance measurement result of Managed WAF

https://ecl.ntt.com/en/documents/tutorials/security/rsts/security/operation/managed_waf/8120_performance.html

Thank you for understanding and we appreciate your business with us.