Description

For a short while now it's been known that there are some serious flaws called Meltdown and Spectre that are causing possible security problems for almost all computers. A solution for this, or at least most of the problems, has been created in the form of kernel patches and adjustments in the deepest levels of operating systems like Windows, Macintosh, and Linux, and so on. OpenVPN Access Server itself is only a user-space program and does not run in the kernel and therefore we as creators of the Access Server product do not create these patches. However, we can inform our users on how to get the necessary patches.

Resolution

Our OpenVPN Access Server appliances have for roughly the past 3 years been based on Ubuntu 13, Ubuntu 14 LTS, and Ubuntu 16 LTS. It is important to figure out which operating system your Access Server runs on, and to then take appropriate action to update the operating system software to get the patches and to verify that they have been installed. For Ubuntu specifically there is a page that describes very well how to patch Ubuntu:

• https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

For users that run another operating system or an operating system that is no longer supported and updated by their maintainers, it is recommended to plan maintenance to set up a new installation and to migrate data and activation keys (if applicable) to the new server setup, so that you can then enjoy updates for the operating system and get the necessary patches to mitigate the most problematic issues of Meltdown and Spectre. An alternative option is to perform an in-place dist-upgrade of the operating system, but success in this may vary and there is a chance the activation keys may be invalidated in the process, requiring intervention from us to reissue your activation keys for you. The safest course of action when your operating system is no longer supported is to set up a new system with a supported OS and contact us to get activation keys migrated to the new system once things are setup and tested properly.

More information on the Spectre and Meltdown issues can be found here:

• Spectre - CVE-2017-5715
• Spectre - CVE-2017-5753
• Meltdown - CVE-2017-5754

More information about a migration process and how to update Access Server itself is here:

• Migrating an Access Server installation
• Keeping OpenVPN Access Server updated (including how to update the operating system)