PALO ALTO, CA—January 15, 2017 - Hewlett Packard Enterprise (NYSE: HPE) provided detailed guidance for customers on how to mitigate risk and resolve the recently disclosed, industrywide microprocessor vulnerability, often referred to as the Side-Channel Analysis Method, or Spectre and Meltdown.
“Ensuring the security of HPE products for our customers is our top priority and we are working with Intel and our other operating system and microprocessor partners to develop updates to resolve this issue for the most common OS versions and current HPE server generations, with additional resolutions to come,” said Alain Andreoli, Senior Vice President and General Manager, Hybrid IT Group, HPE.
Summary of the Vulnerability
Recently, an industrywide vulnerability was identified that involves modern microprocessor architectures from multiple CPU vendors, including Intel, AMD and ARM. Based on new security research, there are software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Products from all hardware manufacturers, including HPE, as well as public clouds that use affected modern microprocessor architectures are potentially impacted.
Guidance for Customers
To address this vulnerability, HPE, along with hardware and software vendors from across the industry, have been working together to publish the appropriate resolutions. Resolution of this vulnerability requires both an operating system update, provided by the OS vendor, and a System ROM update from HPE.
HPE has created a detailed HPE Customer Guidance Pack, which includes step-by-step instructions, frequently asked questions (FAQ) and a compilation of important links to the most common operating system (OS) and microcode updates used with current HPE server generations. HPE also recommends that customers review statements published by the microprocessor vendors: Intel, AMD, and ARM.
In the HPE Customer Guidance Pack, HPE recommends all customers follow the steps below to determine their risk and mitigation plan:
- Determine if you have a system that is impacted by this vulnerability. HPE is maintaining a list of impacted products on the HPE vulnerability website.
- If your system is impacted, download and install the OS update provided by the OS vendor. Depending on which system you are running, you can find instructions on appropriate actions to take in the HPE Security Bulletin.
- Update the System ROM to a revision containing an updated microcode from HPE. Depending on which system you are running, you can find instructions on appropriate actions to take in the HPE Security Bulletin.
- Reboot the impacted system as required, ensuring the new updates are fully deployed.
This particular vulnerability doesn’t directly enable alteration, deletion, destruction, or encryption of data—but data may potentially be extracted from the computer systems. Therefore, HPE recommends that customers practice good security hygiene, including always keeping software and firmware current.
About Hewlett Packard Enterprise
Hewlett Packard Enterprise is an industry leading technology company that enables customers to go further, faster. With the industry's most comprehensive portfolio, spanning the cloud to the data center to the intelligent edge, our technology and services help customers around the world make IT more efficient, more productive and more secure.