Many customers have received the recent news about a set of hardware (CPU) layer vulnerabilities, commonly referred to as Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754), and have recently contacted Zerto to determine whether ZVR replication components are susceptible to these vulnerabilities.
Zerto leverages underlying OS security in most cases and recommends taking the OS vendors steps in securing the OS (such as Windows). Zerto strongly urges customers to patch their Hypervisors and OSes per their software providers requirements as soon as possible as not doing so may leave the Zerto system vulnerable to attack via the Hypervisor /OS. With respect to the Zerto Virtual Replication Appliance (VRA) and Zerto Cloud Connector (ZCC), Zerto does maintain the OS. Because the VRA & ZCC are closed appliances that are secured by all the necessary measures a malicious user can not gain access to them to execute malicious code. Zerto also has a policy of upgrading the OS of its appliances (VRA & ZCC) with each major version that is released, as well as when there is a critical security patch that is being released.
In addition, Zerto also recommends following the these security practices:
- Zerto products (ZVM/ZCM/ZCA) should be installed on dedicated Windows Servers and should not be running other executables that are not required by the organization
- Windows operating systems running Zerto products should be patched with critical security updates, per your organizations security policies
As Windows and ESXi/Hyper-V patches are released to address this hardware layer vulnerability Zerto will continue to test these to ensure ZVR functionality is maintained after patches are applied.