UPDATED: 10-JAN-2018 | Security Notification: "Meltdown" (CVE-2017-5754) and "Spectre" (CVE-2017-5753 & CVE-2017-5715) - impact to APC products
Issue
Do the "Meltdown" (CVE-2017-5754) and "Spectre" (CVE-2017-5753 & CVE-2017-5715) vulnerabilites impact APC products?
Product Line
Including but not limited to:
StruxureWare Data Center Expert (DCE)
StruxureWare Data Center Operation (DCO)
NetBotz Appliances
APC Network Management Cards
PowerChute Network Shutdown
PowerChute Business Edition
PowerChute Personal Edition
1ph and 3ph UPS
Cause
Schneider Electric has become aware of two side channel attacks that leverage critical vulnerabilities in a wide range of computer CPU. These vulnerabilities have been named Spectre and Meltdown. Spectre tricks other applications into accessing arbitrary locations in their memory. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. There have been no known exploits in the wild.
Resolution
Schneider Electric is actively monitoring vendor research into these vulnerabilities to determine appropriate actions to be taken. For the most up to date information and disclosure from the Schneider Electric Product Security Office, please visit this URL where the disclosure will be continuously updated, as needed: https://www.schneider-electric.com/en/download/document/SEVD-2018-005-01/