Meltdown and Spectre Vulnerabilities

Summary

Epicor Eclipse is aware of the Meltdown-Spector  vulnerabilities affecting many modern microprocessors from Intel, AMD, POWER and ARM chips that could allow hackers to access a computer’s memory and steal passwords, encryption keys and other private information from open applications.

Because it’s a vulnerability in the CPU hardware implementations, not a bug in the Eclipse application program, there is no “patch” from Eclipse.

We recommend that customers to check with their hardware and Operating System (OS) vendors for applicable patches as the solution for Meltdown and Spectre.

Epicor’s Response

  • Apply the firmware update via BIOS update
  • Apply the operating system (RHEL, Windows and AIX) patch
  • Apply hypervisor patches where applicable

Recommended Customer Actions

We recommend that customers to open a service request with Eclipse Systems support team and deploy patches on their platform and underlying infrastructure on a mutually agreed schedule.

Frequently Asked Questions

Q: How do I patch my system?
A:Install Red Hat updates.
A:Install Dell Firmware Update.

Q: Will these fixes slow down my server?
A:  Yes, there is performance impact caused by additional overhead required for security hardening, but the actual performance degradation that customers see may vary considerably based on the nature of their workload, hardware configuration and system constraints.

Q: Can I disable these fixes?
A: Yes, you can disable the kernel patches if you fell confident that your systems are well protected by other means. Please see this article from Red Hat for a step by step instructions.

References:

Eclipse Database Replication

UniVerse Database Replication

 

Eclipse HA

Data replication frequency: typically “real time”
Time to recovery: typically a few minutes

Eclipse customers that want “real time” replication can use UniVerse’s native replication functionality. The software is configured to capture writes to the database and replicate them to a secondary server while preserving the integrity of the database. Recovery is also quick, since the Eclipse software is already up and running on the secondary server. This solution is implemented and supported directly by the database vendor, Rocket Software, so please contact your account manager for more details.

How to find the serial number of your Synology NAS

You will need the serial number of the NAS to contact technical support.   It should be located on the unit but if you’d like to validate that or find it remotely.

1. Login to the NAS http://NASipaddress:5000 (the default username is admin with no password).

2. Click on the icon in the top right corner

nasicon

3.  Click on System Information nasscreenshot

4. You should see the serial number listed under the “General” Tab

serialNAS

Heartbleed and Eclipse FAQ

Q: Is Eclipse affected by Heartbleed?
A. The short answer is no.

Q: What Eclipse products use SSL?
A. Eclipse uses SSL in its application server, JBoss, and its external web server, IIS.

Q: Is the JBoss application server used by Eclipse affected by Heartbleed?
A: No. JBoss is a Java application, and it uses Java’s own SSL implementation. For more details, see this statement by the lead security architect for JBoss: http://anil-identity.blogspot.com/2014/04/jbosswildflyas-openssl-heartbleed.html

Q: Is the IIS web server used by Eclipse affected by Heartbleed?
A: No. IIS uses Microsoft’s own SSL implementation. For more details, see Microsoft’s official statement: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx

Q: Have you tested the Eclipse software to make sure that it’s not vulnerable?
A: Yes, we have tested both JBoss (Solar, Job Management) and IIS (Web Order Entry) using the open-source heartbleeder tool, and all of the Eclipse software passed the tests.

Q: How can I test my own servers for the vulnerability?
A: The easiest way to test an external, Internet-accessible web server is through a website like this one. If you need to test an internal server, you can download the heartbleeder tool, which is a simple, command-line utility that runs on multiple platforms.

Q: I know it doesn’t run on my Eclipse server, but is the Element credit card payment processing service vulnerable?
A: As far as we can tell, no, but we have yet to receive an official statement from Element. We have tested all of the web services used by Eclipse for Element payment processing (https://certtransaction.elementexpress.com, https://certreporting.elementexpress.com, https://certservices.elementexpress.com), and none of them are vulnerable.

Q: I run Red Hat Enterprise Linux, and OpenSSL is installed by default. Is my server affected?
A: Maybe. If you are running Red Hat Enterprise Linux 6.5 or above, you may be running an affected version of the openssl software. RHEL versions 6.4 an below, and all version of RHEL 5 are not affected. If you are running RHEL 6.5 or above, we recommend that you run “yum update openssl” and rebooting your server as soon as possible to install the patched version of openssl. For more information, see this article from Red Hat: https://access.redhat.com/site/solutions/781793

Q: What is Heartbleed?
A: There are many resources available on the Internet, but we suggest starting with the “official” homepage (http://heartbleed.com/) or watching this video.

Q: How do you recommend that I keep my servers secure in the future?
A: Please review our list of best practices, which includes the recommendation to update your server’s software and firmware on a regular basis.

Q: You didn’t answer all of my questions!
A: Please feel free to leave a public comment below, or open a support request with our systems team.