Security Exposures - CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

• AWS Elastic Compute instances

  • Speculative execution vulnerabilities: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754.

  • Kony Cloud and our AWS Custom Hosting teams are addressing the above mentioned security vulnerabilities that were made public over the last few days; also colorfully referred to as ‘Meltdown’ and ‘Spectre’. Kony and AWS have already taken proactive steps to protect our customers’ systems on our AWS Cloud and AWS Custom Hosted environments. While the initial risk has been addressed, there will be additional steps taken over the coming days to further implement protections as various O/S patches are released or refined.

  • To be more granular, foreign code must be executing directly on our servers, in some cases with high privilege, to be able to execute the attack. Kony is not a generic hosting platform nor do we run any unknown code in the Kony management infrastructure. Customers could potentially upload code for their specific application servers that would execute such an attack, but that code is already intended to process customer data and so there is little to gain in doing so. There are no Kony credentials or private data that would be accessible from these systems. Also, each customer environment is deployed into a separate AWS account so there is no possibility of reaching across systems or VMs to access any other customer’s data.

  • In addition to AWS already taking necessary action to protect the EC2 fleet, Kony has reviewed these CVEs to assess the risk to customer execution environments. We have determined that, in concert with the AWS actions, the risk is extremely low that any attacker would be able to exploit these vulnerabilities. In line with our normal security procedures, Kony will be applying additional patches to operating systems over the next 30 days to further strengthen protections. Customer instances that cannot be automatically patched by Kony will be scheduled for necessary maintenance. Customers will be individually contacted as necessary to schedule these maintenance windows.