IBM’s started to release its own patches for the Meltdown mess and the Spectre SNAFU, which it’s half-confirmed impact its hardware and operating systems, but won’t have a complete fix until mid-February.
We say half-confirmed because Big Blue has only said it has problems with the processor issues Google mentioned last week, rather than naming either bug.
The company strongly hinted that POWER systems were in trouble last Thursday, January 4th. On Tuesday the 9th the company confirmed the problem, admitting that its kit “could allow a party that has access to the system to access unauthorized data.”
IBM melts down fixing Meltdown as processes and patches stutterREAD MORE
The fix has two steps: IBM wrote that it “involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to these vulnerabilities and is a pre-requisite for the OS patch to be effective.”
As of Tuesday, the POWER7+ and POWER8 patches are ready. IBM’s promised POWER9 patches on January 15th. So that’s the pre-requisites sorted. But patches for AIX and the i operating system “will be available February 12.” That’s more than a month away at the time of writing.
While it prepares its OS patches, IBM’s advised clients that “If this vulnerability poses a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place.” Big Blue’s also said “Clients should review these patches in the context of their datacenter environment and standard evaluation practices to determine if they should be applied.”
The latter is a motherhood statement but perhaps also tacit recognition that AIX and i often run in environments where applications are so sensitive to downtime that change windows are few and far between.
That means the lag between CPU patches and OS patches might not be entirely unwelcome in some IBM shops as they’ve got a month to plan the firmware upgrade on test and dev rigs and can plan one nice big change window not long after the OS patches drop in mid-February. ®