1/13/18 Update: Teradata Platform Remediation Matrix has been added
1/12/18 Update: Assessment has been added
1/10/18 Update: FAQs have been added
Initial Announcement: A message from Teradata Customer Services:
This message is addressing the security exploits Spectre and Meltdown on Intel. The exploits are currently known to take advantage of flaws in the x86-64 platform. Teradata has been working directly with Intel and other vendors including Dell, SUSE, and our cloud providers, to test the available fixes and determine any impact to Teradata systems.
Initial technical reports indicate that this exploit cannot be executed remotely. The attacker must have local access. Exposure can be reduced by following industry security best practices, which most corporate guidelines incorporate.
Teradata takes this type of situation very seriously, and remains committed to supporting our customers. We are diligently working with our suppliers to address this issue.
Teradata has issued Tech Alert - NTA 4351, available via your Teradata Support Portal. This Tech Alert provides further information and will be updated as new information and fixes become available. The current plan is to utilize the Intel and SUSE fixes subject to Teradata’s analysis and testing, which is already underway.
We are still determining when those fixes will be available to our customers. Updates will be provided as appropriate on the Teradata Support Portal.
Check your Teradata Support Portal for additional updates.
The platform matrix available at the above link is the current status on functionality and performance testing efforts for Teradata platforms related to the Spectre / Meltdown vulnerabilities. Teradata platforms utilize components from many different vendors. Each processor family and operating system could be affected differently by patch updates. Target dates for change control planning as well as the earliest target date for implementation of updates to your platform is listed for platforms currently under test. In many cases, Teradata has not received the needed patches from our vendors to start test efforts. Once received, the matrix will be updated to reflect target dates for planning and implementation of these updates.
Please be aware that these are target dates and are subject to change
Please check back regularly for updates for progress and planning dates
Q: Can Spectre & Meltdown be executed remotely?
A: To exploit Spectre or Meltdown, code must be executed locally on the vulnerable system. However, an administrator or application that has remotely authenticated may be able to execute malicious code on the system.
Q: Can remote access tools such as SSH/ODBC/JDBC/CLI take advantage of this vulnerability?
A: Remote access tools with authenticated access can potentially be used to take advantage of this vulnerability. Customers should only permit trusted access to Teradata systems.
Q: How can my company’s security team reduce our exposure to Spectre and Meltdown?
A: Customers following industry standard security practices can reduce exposure to these vulnerabilities. Your security posture depends on the configuration and controls of your specific environment as set by your security team.
Q: Will implementing the fixes cause a performance impact to my Teradata system?
A: Testing is underway to characterize performance impact to Teradata systems; performance is expected to vary by processor family and workload. As test results become available, information will be published specific to Teradata platform models.
Q: How can I be sure my system is safe from Spectre and Meltdown after applying the fixes provided by Teradata?
A: This is an industry-wide issue with many vendors working together to minimize impact of the CPU vulnerability. The vendor supplied patches provide the best-known mitigation for the currently known Spectre and Meltdown exploits. The change control procedure will include validation steps to ensure the patches have been applied correctly.
Q: How can I be sure I haven't been exploited by this vulnerability already?
A: There is no known report of Spectre or Meltdown exploits impacting Teradata systems at this time. However, we encourage you to work with your security team to investigate suspected unauthorized access or activity on Teradata systems.
Q: Is there a test I can use to ensure my Teradata systems have not been exploited by Spectre or Meltdown?
A: At this time, there are no known effective methods to detect the presence of Spectre or Meltdown exploits.
Q: What is the difference between an exploit, vulnerability, and malware?
A: Vulnerability: In computer security, a vulnerability is a flaw which allows an attacker to reduce a system's information assurance. Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
Malware: or malicious software, is any program or file that is harmful to computer user. Malware includes computer viruses, worms, Trojan horses and spyware.
Exploit: A piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software or hardware
Q: What platforms are affected by the Spectre and Meltdown exploits?
A: X86-64 based systems including all Teradata, Aster, and Hadoop platforms, VM’s on Public Cloud, and all Teradata solutions on IntelliCloud are affected.
Q: Microsoft, Apple, and SuSE have already released patches for Spectre and Meltdown. What is the status of Teradata's patches?
A: Teradata platforms utilize components from many different vendors. Each processor family and operating system could be affected differently by the patch updates. Teradata is working closely with all our vendors to ensure proper functionality and performance at an integrated level across supported platforms. A remediation action plan with release dates is forthcoming and will be made available via the customer portal
Q: What downtime is required to apply remediation updates?
A: Currently, the known process will require a BIOS and kernel update. We typically perform these updates in separate Change Control operations. Our standard downtime estimate is 2 hours for the BIOS upgrade and 2-6 hours for a kernel upgrade. Note: Kernel upgrades rarely involve only the kernel, but typically include other dependent Certlist packages. A server reboot will be necessary for each upgrade and is included in the time estimate.