Access Manager and Meltdown / Spectre vulnerabilities (CVE-2017-5754, CVE-2017-5715 and CVE-2017-5753)

  • 7022531
  • 10-Jan-2018
  • 12-Mar-2018


Access Manager 4.4
Access Manager 4.3
Access Gateway Appliance
Access Manager Appliance
CVE-2017-5754 - Meltdown vulnerability
CVE-2017-5753 and CVE-2017-5715 - Spectre vulnerability


The recently reported Meltdown and Spectre vulnerabilities are used to exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processes on the computer. While programs are typically not allowed to read data from other programs, a malicious program can exploit Meltdown and Spectre to obtain access to the protected memory of other processes running on the vulnerable physical or virtual host.

Although most Access Manager components ships a number of Web based applications that are not susceptible to these vulnerabilities, the applications run on operating systems that are vulnerable and will need to be patched. Access Manager also includes the Access Gateway Appliance and Access Manager Appliance that ship with the SLES11 SP4 operating system and must also be patched.


Make sure that the Access Gateway or Access Manager Appliance update channels are setup and that the latest updates have been applied. The following RPM packages exist in the channel that address these two vulnerabilities (exact versions may change so general packages below contain updates):


For Access Manager components installed and running on top of the Windows or RHEL platforms, make sure the updates available from each vendor is applied:

- Microsoft Windows:
- Red Hat Enterprise Server:

For the Analytic Server Appliance, one extra step is required assuming the Security Update channel is configured as per

Running the Security updates will only get the kernel update and not the second microcode_ctl-1.*.x86_64.rpm as it is not installed by default. An extra step will be required to install this by running ‘zypper in –f microcode_ctl-1.*.x86_64.rpm’ from the Analytic Server console.


Security Alert

Additional Information

Some basic performance tests were run in a lab environment with and without the security patches on SLES 12 SP3 to get an idea of the overall impact. With the IDP, performance was very similar with and without the patch. The main difference was seen accessing public pages on the Access Gateway, which is less common setup.



NAM 4.4 without SuSE patches (Transactions per second)

NAM 4.4 with SuSE patches (Transactions per second )

% performance difference

IDP logins with secure name password form




IDP Post credentials




PR access with secure name password form




Public page access with SSL ( Single page for each request)




Public page access with SSL ( 10 pages for each request)