Update – May 21, 2018
Planview is aware of the announcement for two new variants (3A and 4) of the Spectre and Meltdown vulnerabilities. To date there are no known exploits in the wild and both variations are considered have a low security rating. As updates come available, Planview will evaluate and execute mitigation and remediation strategies to address these vulnerabilities.
Planview Response to Meltdown & Spectre
Since the announcement of the Meltdown and Spectre vulnerabilities on January 3, Planview has diligently been working with its partners and vendors to assess and implement patches. Much progress has been made across all the cloud services offered by Planview. The virtualization tier supporting most of Enterprise One, Planview Enterprise, Troux, Innotas, Leankit, and Projectplace have been patched at a majority of the data centers. Planview staff continues to evaluate and test patches for the virtual tier at the following data centers (Sweden Sungard Data Center, Revera Data Center in New Zealand, OVH Data Center in Germany and Rackspace Data Centers in US and Europe). Operating system patches for the majority of Planview’s cloud services are in various stages of testing and implementation. Leankit however, has fully patched its operating systems and continues to monitor for patch revisions.
On Monday January 22, Intel announced that cloud service providers and other vendors stop deployment of current versions of patches. Intel claims a recent discovery of the root cause for performance issues has been identified and an updated fix is in progress. Further actions regarding mitigation are on hold based upon this guidance.
The current risk level for a security breach is low; however, Planview recognizes that this problem is fluid and full resolution will take time. We take this vulnerability very seriously and are dedicated to ensuring that Planview cloud services are thoroughly patched and continuously monitored for any malicious activity.
Below are more detailed actions and status by product.
Enterprise One – Planview Enterprise – Troux
Enterprise One, Planview Enterprise, and Troux virtualization tiers have been patched in both the Woking Sungard and Austin vXchnge datacenters. For Troux customers hosted at Rackspace Austin, Planview continues to monitor their efforts to patch its OpenStack virtual tier. Planview continues to monitor efforts and plans from the hosting providers at the following data centers (Revera in New Zealand & OVH in Germany).
Load Balancers and other 3rdparty hardware providers
We are awaiting release of patches for the providers for Load Balancers (F5) and Servers (Cisco Blades) used in the Woking Sungard and Austin vXchnge datacenters. Planview is closely monitoring these vendors for patch release dates.
Operating system patches are currently being evaluated in test environments to ensure security, functionality and performance are maximized before applying them in production environments. Dates for implementation in the production environment will be announced on this support page and in maintenance notifications.
As of January 04, AWS confirmed all environments including the virtual tier supporting Projectplace customers hosted in AWS have been patched. Planview staff continue to evaluate and test patches for the virtual tier supporting Projectplace out of its Sweden Sungard datacenter. Patches to the CoreOS for the Sweden Sungard datacenter completed patching January 19th. CoreOS patches for AWS hosted customers will be updated this week. Since there have been multiple reports for the potential of performance degradation, Planview is currently assessing the Ubuntu operating system patches in test environments. To date most Ubuntu servers in the development environment have been updated and rebooted. Planview continues to monitor for performance issues. Dates for implementation in the production environment will be announced on this support page and in maintenance notifications.
As of January 4th, Azure’s infrastructure including the virtual tier supporting LeanKit was patched, rebooted and protected against these vulnerabilities. As of January 22, all supporting operating systems have been patched. Planview will continue to monitor for updates to existing patches.
Innotas by Planview (PPM Pro)
As of January 4th, AWS confirmed the virtualization tier in (US, Canada, EU, and EMEA) supporting Innotas were patched, rebooted and protected from the recent Meltdown and Spectre vulnerability. AWS reported they “have not observed meaningful performance impact for the overwhelming majority of workloads”. Since there have been mixed reports for performance degradation when applying operating system patches, Planview is carefully assessing the Ubuntu operating systems patches released January 9th. The current plan is to have all production systems operating systems patched by February 16th. Dates for implementation in the production environment will be announced on this support page and in maintenance notifications.