|Summary:||Announcement from Infor – Activities Regarding Meltdown and Spectre|
|Article Type:||Announcement / Support|
|Related Product:||This article relates to the following products:
Please read Infor’s statement regarding New Security Vulnerabilities against underlying chip architectures:
“Infor is aware of and actively addressing the new Security Vulnerabilities reported by various experts against underlying chip architectures. The vulnerabilities that have been identified are fundamental designs within the chip architectures and must be addressed at the OS level on every system. Along with every corporation and individual that relies on technology, Infor is monitoring and gathering available patches and deploying those within our environments. It is important to note that Spectre is a vulnerability that is different than Meltdown and that is more difficult to exploit and to correct. Vendors are working with Intel in determining how they will address this vulnerability. Infor will remain vigilant on watching for all security patches.
For our Customers where the implementation of our software/applications is in their environment or a non-Infor environment, Infor highly recommends that they apply the recommended patches as soon as practical. As always, Infor recommends that Customers do not send sensitive information within email or other unencrypted communication methods or place sensitive data into our Help Desk environments, including Infor Xtreme.
For Customers using our SaaS environments, Infor is working with our partners, Amazon Web Services (AWS) and Google Compute Platform (GCP), to ensure your information is fully protected. All environments have been patched by AWS and GCP at the hypervisor level and Infor is working on patching at the OS level as patches are made available. To that end, Infor may need to schedule maintenance that goes beyond what you had experienced in the past as Infor performs patches on every SaaS environment that we manage to insure full protection against this threat. Note that the urgency of these patches will limit the ability for our Customers to refuse to accept some maintenance windows.
You may find the following FAQ useful.
1. Is Infor impacted by CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754?
As with most organizations, Infor is impacted and is actively addressing these vulnerabilities
2. Is Infor’s IaaS impacted?
Infor utilizes the AWS and Google Compute Platform (GCP) environment as our IaaS providers and they have finished addressing the issues in all Amazon EC2 and GCP instances
More information about how AWS is addressing the issue can be found here: https://aws.amazon.com/security/security-bulletins/. Google stated the following: “GCP has already been updated to prevent all known vulnerabilities.”
3. Are any Infor customers currently exposed to this issue?
Yes. Infor is taking urgent action to address these vulnerabilities. Customers should expect maintenance window requests that they wouldn’t have seen in the past. Customers are also reminded that urgent security patches to address critical vulnerabilities should be expected in the world’s current threat landscape and that security is paramount.
4. What is Infor doing to protect customers?
Customer security is Infor’s top priority, and Infor utilizes “defense in depth” measures in constructing systems to limit damage that could occur by exploiting a single vulnerability. Infor has implemented multiple layers of security controls to protect customers from this attack that requires an exploit to run locally on the target system.
5. Has this issue been exploited?
We are not aware of any exploits at Infor.
6. Are there any customer actions required?
Yes, for on-premise customers. Those customers should patch their systems as soon as practical.
7. When Infor applies the updates, or customers apply the operating system patches, will there be performance impact?
Infor doesn’t expect meaningful performance impacts for most customers. However, we are monitoring our SaaS solutions and if any performance impact is noted, Infor will address to ensure we continue to meet reasonable and contractual requirements.
For SaaS customers, as patches are made available by Operating System and other vendors (e.g., Microsoft, RedHat, etc.) Infor Cloud Operations & Customer Success teams will be providing communications around the specific scheduling and maintenance windows to apply them.”
If you have any concerns regarding this issue, or if you’d like additional information, please get in touch with our Support Team.