01-05-2018 11:47 AM - edited 01-17-2018 04:48 PM
Hi All - we have received a number of requests to furnish details of these vulnerabilities and potential impact on NIOS. Our support team has put together a note (also available on the Infoblox Support portal) to help you understand the issue and what our current assessment is with regards to impact on NIOS.
Here is the final update from our product management team.
“After rigorous testing and analysis, our engineering and security teams have concluded there is no risk from Spectre/Meltdown to any of our hardened physical Trinzic appliances, including NetMRI. For a virtual appliance, however, there is a possibility that another guest on the same host could leverage the exploit to read transactions, as this is outside of Infobloxs’ control, and needs to be remediated by your host vendors.”
You can look through this KB article available on the support portal to get more information.
NOTICE: Recent media coverage of the “Meltdown/Spectre” vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) has raised concerns with many Infoblox customers. Please be advised that the impact of these vulnerabilities should be minimal to NIOS. Our physical appliances and the NIOS software running on them are components of a hardened/closed system which does not allow user-level access to run applications or code of any nature. Virtual instances of NIOS, however, may be susceptible to having their vNIOS memory read should the underlying host be exploited as the underlying bare metal infrastructure is not part of our closed/hardened application specific system and is not within our scope of control. Since code (within NIOS) cannot be executed, protocol services are unlikely to be impacted, but the potential to view memory reads within the bare metal host system for which vNIOS is installed still exists. We would advise you work with Intel and the system manufacturers to patch these bare metal systems as fixes become available – however, resolutions/fixes are outside of the scope/control of Infoblox.
Although initial review performed by our threat analysis team indicates these vulnerabilities will not affect us in any material fashion, our Engineering team is continuing our rigorous analysis of the issue and we will update KB article # 7346 with additional details as more information becomes available.
Check out our new Tech docs website for latest documentation on Infoblox products.
04-03-2018 05:53 AM
But, it is the case that VMWare requires Virtual Hardware Version 9 for "Hypervisor-Assisted Guest Mitigation for branch target injection (CVE-2017-5715)", whereas the Infoblox Data Connector 2.0 OVA specifies Virtual Hardware Version 8, and thus does not meet the VMWare requirement.
For anyone else interested in using the Data Connector (virtual-only) appliance, there is an RFE open for Infoblox to update the OVA to Virtual Hardware Version 9 or better (11 or 13 preferred). This is "RFE-8570 Upgrade Data Collector OVA VM Hardware version".