Spectre & Meltdown Vulnerabilities

[iggy1952]

Has anyone seen a response from Avaya regarding the Spectre/Meltdown vulnerabilities with respect to patching servers?

iggy1952

 

[jimbojimbo]

Avaya has posted several responses on support.avaya.com/security. Unfortunately, since this pesky bug has already resulted in Microsoft and VMware pulling patches I wouldn't expect any fix soon. Especially if the performance hit is as significant as some of the initial anecdotal information suggests.

 

[iggy1952]

jimbojimbo,

Thank you.



iggy1952

 

[Wanebo]

Avaya's position on it appears to remain the same as when the vulnerabilities were first announced. They seem to be relying on OS patching to mitigate the issue while also stating that OS patching can cause other issues.

https://downloads.avaya.com/css/P8/documents/101045884

 

[jimbojimbo]

The issue boils down to the flaw being within the processor. This requires a bios/microcode update. So far, Microsoft, VMware, and Red Hat have pulled the initial patch releases due to a combination of bricked systems, reboots, and performance issues.

I expect Avaya will not be releasing patches soon. Once a stable patch exists at the OS level then Avaya will have to test. My understanding is the most significant performance hits will be for systems with high I/O. Since voice is a real-time service I expect significant hits which will require Avaya to either discontinue support for certain hardware (old Common Server Gen 1), modify the resource requirements, or alter the "stated" capacity of systems.