Published January 9, 2018
Technolutions has prepared a formal response to the security vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 (informally known as "Meltdown" and "Spectre"), which were recently disclosed by security researchers and leverage behaviors present in the CPUs of nearly all devices, including workstations and servers, manufactured over the past 20 years. The risk these vulnerabilities present is nuanced, and certain mitigations are appropriate based upon an evaluation of the specific risk profile of a given workstation or server.
Microsoft Windows workstations on the Technolutions corporate networks have received the 2018-01 Cumulative Update, which provide OS-level mitigations. Mac OS X workstations were patched in the 2017-12 update from Apple, which provide similar OS-level mitigations. Processor microcode updates will be installed when made available by the device manufacturers.
All test and production infrastructure is hosted in the Amazon Web Services (AWS) cloud. Amazon has advised that all AWS instances are protected against these threats from other instances, ensuring that a customer on an AWS host cannot potentially read the memory from another customer. This applies to all AWS services where arbitrary code could be run by multiple AWS customers, including the hypervisors and containers employed by EC2 and Lambda.
All servers have received the operating system updates and microcode mitigations based upon the criteria set forth in the vendor recommendations for mitigating the exposure on servers which might run untrusted code.
With regards to client workstations which may be used to access Slate, including those used by end-users such as applicants and staff, there are no elevated risks beyond those risks which might exist for other secure services on a client workstation susceptible to these threats. We employ "HttpOnly" flags on all session cookies, helping to ensure they are not read into the browser renderer's memory where it might be able to be compromised by another browser or system process. Session cookies are further restricted to specific networks, preventing a compromised session cookie from being used by a remote user. Browser updates to enable process isolation by site, including those planned by Google for the Chrome browser in January 2018, will further mitigate these risks.
As with all security disclosures, we will continue to follow vendor recommendations and industry best practices, and further actions may be taken with regards to these disclosures as additional guidance and recommendations are made available by the vendors.