Measures taken to address the CPU vulnerabilities relating to (CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715

Update As Of: 2018/02/05 4:30 PM PST

The EDIS application infrastructure is provided by AWS, the development and testing environments pose no risk to customers.  The production infrastructure does require risk mitigation.  The production infrastructure  consists of :

  1. EC2 instances for compute
  2. RDS databases services

Action taken to address any know vulnerabilities in the EDIS infrastructure

EC2 instances for compute

All instances across the Amazon EC2 fleet are protected from all known instance-to-instance concerns of CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. This issue has been addressed for AWS hypervisors, and no instance can read the memory of another instance, nor can any instance read AWS hypervisor memory.

While all instances are protected as described above AWS has recommended actions for Amazon EC2.  We deem the risk to the service and data to be low, as such the the recommended patches will be applied during the March 2018 maintenance window.

RDS databases services

AWS has finished protecting all infrastructure underlying RDS, process-to-kernel or process-to-process concerns of this issue do not present a risk to EDIS.  No further action will be required for the RDS services.