Update May 23, 2018 – U.S. CERT and the Department of Homeland Security have announced additional vulnerabilities under TA18-141A: Side-Channel Vulnerabiity Variants 3a and 4. As with the original Meltdown and Spectre vulnerabilities detailed below, Array products listed in this article are not affected.
By now, most members of IT staff and management have read about the latest vulnerabilities to make major headlines: Meltdown and Spectre, which affect Intel, AMD and other CPUs developed over the last couple of decades.
Array products exclusively use Intel processors. In regards to both Meltdown and Spectre, though, Array’s AVX Series network functions platforms, APV Series application delivery controllers, and AG Series SSL VPNs are not affected.
As our researchers explain, “In order to exploit these vulnerabilities, an attacker must be able to run forged code on an affected appliance. Array Networks’ APV and AG Series have strict remote management access control and users have no opportunity to execute custom malicious code on the appliance.”
Array’s vAPV virtual load balancer and vxAG virtual SSL VPN, while not directly affected by these vulnerabilities, may be affected if the hosting environment (i.e. VMware, KVM, etc.) are vulnerable.
In other words, there is no opportunity for an attacker to upload forged or malicious code to these Array products for execution.
Similarly, the AVX Series network functions platform itself is not affected by Meltdown; however, if it is running a vulnerable third-party appliance, there is a possibility that that VA (or VNF) could be exploited to attack other VAs running on the AVX Series platform. Thus, Array recommends using only our own vAPV and vxAG VAs or VNFs, or third-party virtual appliances provided by Array-certified vendors. (See our 3rd-Party Ecosystem page for more information.)
As always, we monitor security and vulnerability announcements closely, and if new information comes to light we will provide software updates if needed to further harden the systems. Read the full security advisory here (requires Array Support Portal login credentials).
On a side note, this is one more example of Array’s extreme focus on the security, and security hardening, of our products. Our standard practice is to expose only that which we must, and to wall off everything else, thus keeping it secured. Production traffic is segregated from management traffic to further reduce risk. And we developed our own SSL stack rather than using OpenSSL as most of our esteemed competitors do, thus protecting our products, and our users, from the many high-severity vulnerabilities that have been reported in OpenSSL – including Heartbleed, Bash and others.
In addition, our proprietary SSL stack has allowed us to include only the functions that are required for the tasks that our products perform. In this way, we can keep our code much more agile and flexible, and provide much higher performance by virtue of much lower overhead.
If you have any questions or concerns, or would like to receive a copy of the full security advisory via email, please reach out to your Array sales representative or authorized reseller.