Spectre, Meltdown Update: NetApp, IBM, HPE, Lenovo, Dell EMC Weigh In On Storage System Vulnerability

NetApp and IBM said there are no issues concerning their systems and the Spectre and Meltdown processor vulnerabilities. Lenovo and HPE have said they have software patches coming soon.

The mixed responses in the storage industry stand in contrast to the security and networking businesses, where top vendors have been in lockstep.

One reason storage vendors have been measured in their responses seems to be tied to how storage software acts as a buffer between data in the memory.

[Related: NetApp Says Its Storage Systems Not Impacted By Spectre, Meltdown Thanks To Its OnTap OS]

One storage vendor told CRN that embedded systems, such as storage servers that do not support local users, or provide a means for arbitrary user code to run on the embedded system, are inherently vulnerable from side-channel analysis attack.

This is because such attacks require that malicious code to be run locally on a system. Also, the storage vendor source said, many embedded systems do not support different privilege levels.

IBM, in a support blog post, wrote that its POWER-based servers and System z mainframes will have patches available soon. However, IBM wrote, its storage systems are not impacted by the Spectre or Meltdown vulnerabilities.

"The most immediate action clients can take to protect themselves is to prevent execution of unauthorized software on any system that handles sensitive data, including adjacent virtual machines," IBM wrote.

Lenovo, in a statement to CRN, wrote, "Lenovo has assessed its storage portfolio for affected CPUs and will release UEFI firmware updates incorporating Intel CPU microcode fixes for affected CPUs as they are available from Intel. Lenovo is also evaluating Operating System updates for incorporation into supported storage products, where appropriate."

NetApp told CRN via email that its OnTap storage operating system was designed in such a way that malicious code cannot run on its storage systems.

Dell EMC said in an emailed statement to CRN that it is working with Intel and others to address the issue.

Hewlett Packard Enterprise emailed CRN a statement that "the quality of HPE products is our top priority and we are proactively working with Intel to develop software and firmware updates to mitigate this issue."

While patches are not yet universally ready, at least one review site, Tom's Hardware, said Friday that a Microsoft Meltdown patch it tested has little impact on storage application performance.

Tom's Hardware tested the patch with a 480-GB Intel 900P Optane SSD because of its ability to provide consistent performance and found virtually identical performance across a wide range of real-world consumer and business applications before and after the Microsoft patch was applied.

Michael Tanenhaus, CEO of Mavenspire, an Annapolis, Md.-based solution provider and Dell EMC channel partner, said that while multi-tenant cloud data centers are vulnerable, dedicated storage hardware is probably not.

"If you're not in a shared environment, you're probably okay," Tanenhaus told CRN. "A storage array is dedicated hardware, and people don't log into the array or the processors. The bug [is a potential] way to get into other peoples' stuff, to get access to other people through the processor. It doesn't really affect equipment that does one thing."

In a shared, software-defined infrastructure with virtual switching, there is the possibility of an unauthorized user accessing traffic as it went through, Tanenhaus said.

"Everyone is [grappling with an issue that's] been out there for a decade and we're just hearing about it now," he said. "When multiple people are standing on the same processor is where it's going to be hottest. Wherever there's compliance or sharing is where you can mess with somebody else. MSPs are having to reassure their customers that regardless of how this turns out they have their back."

Matt Brown contributed to this article.