Announcements
Security Notices

Log4J, Meltdown & Spectre Vulnerabilities

6min
this page outlines how the meltdown (cve 2017 5715) and spectre (cve 2017 5753, cve 2017 5754) vulnerabilities apply to brightsign players and the brightsign network this statement is based on information from broadcom (the soc supplier for brightsign), arm (the cpu vendor for broadcom), and others brightsign players meltdown the meltdown vulnerability has two variants variant 3 is common to all intel x86 cpus and a single arm cpu core design, while variant 3a is a minor vulnerability related to arm cpus variant 3 https //nvd nist gov/vuln/detail/cve 2017 5715 https //nvd nist gov/vuln/detail/cve 2017 5715 since brightsign players do not use intel cpus or the affected arm cpu core design, they are not affected by this variant variant 3a https //developer arm com/support/security update https //developer arm com/support/security update this vulnerability is present in the following brightsign models xtx43, xdx33, hdx23, ls423, and 4kx42 this is a highly restricted variant of the meltdown vulnerability and does not provide access to device memory neither arm nor brightsign believe that mitigations for this issue are necessary spectre the spectre vulnerabilities affect the following models xtx43, xdx33, hdx23, ls423, and 4kx42 they may also affect the xdx32 to exploit these vulnerabilities, an attacker must be able to run arbitrary code on a device; however, securely configured docid\ ecb hwei2wjvvcqlxpd1x brightsign players do not respond to requests from other sources on the network, and brightsign recommends only retrieving/running content from trusted sources (such as a secure webpage, the brightsign network, or a brightsign cms partner) even without using spectre vulnerabilities, an attacker could–if secure practices are not used–inject code using standard javascript/brightscript libraries to steal sensitive information or affect the behavior of the player mitigation aside from standard best practices docid\ ecb hwei2wjvvcqlxpd1x , there are a number of mitigations that improve the resilience of brightsign players against the spectre vulnerabilities the brightsign implementation of the chromium web browser does not enable webassembly or sharedarraybuffer the bpf just in time complier is not enabled on brightsign players chrome 64 contains mitigations to protect against the spectre vulnerabilites brightsign will evaluate these patches and determine whether to include them in a firmware update brightsign will continue to monitor further security developments and employ new mitigations when appropriate java apache log4j brightsignnetwork com, bsn cloud, bsnee, and brightauthor\ connected do not use log4j and are not impacted by the related vulnerability brightsignos does not contain java we do package the java runtime as an extension any customers who use the java extension should audit their application to confirm if they use log4j, and if so, use a patched version that is not susceptible to cve 2021 44228 https //cve mitre org/cgi bin/cvename cgi?name=2021 44228 brightsign network all bsn servers are hosted using amazon web services (aws) amazon has patched all instances on their ec2 service to protect from the meltdown and spectre vulnerabilities the brightsign network only runs trusted code on its servers, and brightsign network security docid\ snrliwvqdpp0vqod cwlk protect bsn from various forms of attack that would allow for arbitrary code to be run on bsn server instances