Meltdown/Spectre and Qualys Cloud Platform
Last updated on: September 6, 2020
In light of the recently released information about two security vulnerabilities, Qualys has considered the impact on the Qualys Cloud Platform and associated services. Qualys released a detailed advisory for customers of the Qualys Cloud Platform to help customers identify these vulnerabilities and to assist customers in their internal security assessment.
Below, please find information about how Qualys has performed its assessment and is taking steps to protect its environment and the Qualys Cloud Platform:
About Meltdown and Spectre
Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715 and CVE-2017-5753) exploit physical implementations of modern microprocessors, rather than relying on any software-based flaw or defect.
Impact
As of this writing, there is no known exploit for these vulnerabilities. Qualys is in the process of assessing and patching our environment. Additionally, we have increased our security monitoring posture to identify unusual activity. We are leveraging the Qualys Cloud Platform to identify impacted assets.
Scanner Appliances
Qualys scanner appliances are not directly affected by Spectre/Meltdown vulnerabilities and do not require any patches to the appliance operating system, scanning software or virtual scanner images. The security of Qualys scanner appliances does not depend on the type of privilege separation which is affected by these vulnerabilities, and the vulnerabilities would not provide a potential attacker with a higher level of access. Additionally appliances are only bound to the Qualys Cloud Platform and have no ability to be accessed directly.
Virtual Scanner Appliances
Qualys virtual scanner appliances can still be indirectly affected by Spectre/Meltdown if the vulnerability is exploitable at the hypervisor level. We recommend that customers patch the underlying hypervisor as per their vendor recommendations.
Cloud Agent
Cloud Agent binary across all platforms is not directly impacted and as such does not require any patch from Qualys. However it is essential that customers ensure the underlying asset operating systems are patched by customers as per vendor recommendations.
The Cloud Agent can be used to assess this.
Qualys Cloud Platform
Currently, we are testing the vendor released patches and are deploying across our shared environment. Please note that may require a scheduled emergency downtime.
Qualys Private Cloud Platform
Hardware Private Cloud Platform
Qualys will closely coordinate with customers to individually assess their platform and deploy patches on the platform and underlying infrastructure on a mutually agreed schedule.
Virtual Private Cloud Platform
Qualys will closely coordinate with customers to deploy patches on the platform. Customers are responsible for deploying patches to the underlying infrastructure and should immediately work with their vendors to deploy patches.
Qualys Corporate Environment
Qualys has tested and pushed out patches to our corporate servers and is currently aggressively rolling out patches to our end-user machines.