NetApp Says Its Storage Systems Not Impacted By Spectre, Meltdown Thanks To Its OnTap OS

Printer-friendly version Email this CRN article

Storage vendor NetApp said its storage hardware is not susceptible to potential security attacks caused by the Spectre and Meltdown processor design flaws discovered last week.

Spectre and Meltdown account for three variants of the side-channel analysis security issue first identified by the Google Zero Project team and other researchers who found that the Intel, AMD and ARM Holdings processors commonly used in servers and PCs could allow unauthorized users to examine privileged information in memory in certain circumstances.

Sunnyvale, Calif.-based NetApp, like most storage vendors, bases its storage hardware on x86-based server platforms.

[Related: Processor Security Issue: Intel Says Processors Working As Designed]

NetApp Thursday issued a statement saying that it is "closely monitoring the situation" and will apply security patches as they are released.

On Friday, however, NetApp provided more information to CRN via email saying that its OnTap storage operating system was designed in such a way that malicious code cannot run on its storage systems.

"OnTap is not susceptible to either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system. OnTap is a closed system that does not provide mechanisms for running third-party code," NetApp wrote.

The company also stated that the same holds true whether customers run OnTap in a hardware or software implementation.

"The same is true of all OnTap variants including both OnTap running on FAS/AFF hardware as well as virtualized OnTap products such as OnTap Select and OnTap Cloud. NetApp has advised hypervisor customers to work with their cloud platform vendors to ensure that their OnTap product is running on a secure and patched platform," NetApp wrote.

NetApp declined to comment further on the side-channel analysis security issue.

There are three possible ways side-channel analysis could be exploited by unauthorized users.

Printer-friendly version Email this CRN article