Meltdown and Spectre Vulnerabilities

Summary

Epicor Eclipse is aware of the Meltdown-Spector  vulnerabilities affecting many modern microprocessors from Intel, AMD, POWER and ARM chips that could allow hackers to access a computer’s memory and steal passwords, encryption keys and other private information from open applications.

Because it’s a vulnerability in the CPU hardware implementations, not a bug in the Eclipse application program, there is no “patch” from Eclipse.

We recommend that customers to check with their hardware and Operating System (OS) vendors for applicable patches as the solution for Meltdown and Spectre.

Epicor’s Response

  • Apply the firmware update via BIOS update
  • Apply the operating system (RHEL, Windows and AIX) patch
  • Apply hypervisor patches where applicable

Recommended Customer Actions

We recommend that customers to open a service request with Eclipse Systems support team and deploy patches on their platform and underlying infrastructure on a mutually agreed schedule.

Frequently Asked Questions

Q: How do I patch my system?
A:Install Red Hat updates.
A:Install Dell Firmware Update.

Q: Will these fixes slow down my server?
A:  Yes, there is performance impact caused by additional overhead required for security hardening, but the actual performance degradation that customers see may vary considerably based on the nature of their workload, hardware configuration and system constraints.

Q: Can I disable these fixes?
A: Yes, you can disable the kernel patches if you fell confident that your systems are well protected by other means. Please see this article from Red Hat for a step by step instructions.

References:

Eclipse Database Replication

UniVerse Database Replication

 

Eclipse HA

Data replication frequency: typically “real time”
Time to recovery: typically a few minutes

Eclipse customers that want “real time” replication can use UniVerse’s native replication functionality. The software is configured to capture writes to the database and replicate them to a secondary server while preserving the integrity of the database. Recovery is also quick, since the Eclipse software is already up and running on the secondary server. This solution is implemented and supported directly by the database vendor, Rocket Software, so please contact your account manager for more details.

How do I set the IP address on my Digi PortServer server?

NOTE: these steps must be performed on the same LAN as the device.

  • Record the MAC address of the Digi device (located on the label side (bottom) of the unit)
  • Manually update the workstation’s ARP table using the Digi device’s MAC using one of the commands below, substituting the new Digi’s IP address and MAC address:
arp -s 192.168.2.2 00-00-9d-22-23-60
arp -s 192.168.2.2 00009d222360
  • Ping the Digi device using the IP address just assigned:
ping 192.168.2.2
  • When the Digi begins responding to pings, enter the IP into a web browser and login (user/pass root/dbps) to set the default gateway and subnet mask
  • Add to the digi device IP address to the /etc/hosts file
    vi /etc/hosts
    192.168.2.2 digi
    
    
  • Notify Eclipse that the Digi is online by updating your service request online with the Digi IP address
  • Eclipse will verify connectivity to the Dig and continue the VSIFAX configuration process

JDK TLS handshake error

The Eclipse PD team has identified JBoss running on RHEL 5.x with Java 7u131 may crash when the Solar Eclpse SSL interface (i.e Connection Pool, Session manager and etc..) is accessed from a browser.

This is an Oracle bug, and it is expected to be fixed with java 7u141 release.

The Work-around is to not use java 7u131. Do not install java update or downgrade to an older version if java 7u131 has already been installed.

To downgrade java to older version, 7u95:

yum downgrade java-1.7.0-openjdk-1.7.0.121-2.6.8.1.el5_11

To exclude java updates when manually installing the RHEL updates:

yum update --exclude=java-1.7.0-openjdk-1.7.0.131*

If your system is setup with RHEL automatic update you may temporarily disable it and run manual updates until a fix is available.

To disable RHEL auto update:

chkconfig yum-updatesd off
service yum-updatesd stop

Reference

Best practices for securing the Eclipse database server

  • Don’t allow direct access to the Linux server from the public Internet
  • Don’t use a weak root password
  • Disable root remote Login
  • Don’t allow Eclipse users to use blank passwords – Enforce Stronger Passwords
  • Disable Unwanted Services
  • Enable Firewall
  • Keep your system up-to-date by installing updates (e.g. operating system, software, and firmware updates) and rebooting on a monthly basis.
  • Monitor Server Logs Regularly