chaje22

Spectre Meltdown Patch for AWS AMI based CA API Gateway Appliance

Blog Post created by chaje22 Employee on Feb 28, 2018

I hope everyone has their heart rate slowed down after dealing with Spectre / Meltdown vulnerability last month. Sadly, I am pretty sure other exploitation vectors will be researched out in the future so it won't be the last time we hear about it.

 

Kernel Boot Error for AWS AMI image based Gateway - Jan Platform Patch

 

For the CA API Gateway product, we have issued an expedited January Gateway Monthly Platform Patch covering all form factors except the AWS AMI image based Virtual Gateway appliance form factor.

 

As the initial kernel update came out for mitigating few variants of Spectre / Meltdown, there was a boot error issue reported for virtual machines that are based off of AWS AMI images (see AWS forum thread). Our Gateway virtual appliance only keeps one copy of kernel module binaries. So once you get the boot error, you won't be able to recover that Gateway appliance from the boot error.

 

This was a particular concern and we tried to best communicate with our customers. We issued proactive notifications and made a special note in our Knowledge Base article,  as well as on our CA API Management Solutions and Patches page in the January platform patch section. We asked our customers not to apply the expedited January Gateway Monthly Platform Patch on AMI image based Gateway virtual appliances. 

 

No more boot error - February Platform Patch

 

Thankfully further kernel updates came out and we have published February Gateway Monthly Platform Patch that does not induce the boot error on AMI image based Gateway instances. However, please see the warning below.

 

Warning!

For unforeseeable possibility of having the kernel boot error issue remain with your AWS AMI image in general, we wanted to ask our customers to take a snapshot before applying this patch and try out on non-production instances first.

 

Final Caution!

So, please make sure you test out the February patch on non-production instances along with a snapshot!

Outcomes