...
ON THIS PAGE
| Expand |
|---|
...
| borderColor | #3D3D3D |
|---|---|
| bgColor | #F4F4F4 |
| titleColor | #3D3D3D |
| borderWidth | 0 |
| titleBGColor | #3D3D3D |
| borderStyle | solid |
| ||||
|
This page outlines how the Meltdown (CVE 2017-5715) and Spectre (CVE-2017-5753, CVE-2017-5754) vulnerabilities apply to BrightSign players and the BrightSign Network. This statement is based on information from Broadcom (the SoC supplier for BrightSign), Arm (the CPU vendor for Broadcom), and others.
...
Aside from standard best practices, there are a number of mitigations that improve the resilience of BrightSign players against the Spectre vulnerabilities:
The BrightSign implementation of the Chromium web browser does not enable WebAssembly or SharedArrayBuffer.
The BPF Just In Time complier is not enabled on BrightSign players.
Chrome 64–due for release on January 23, 2018–will contain mitigations to protect against the Spectre vulnerabilites. BrightSign will evaluate these patches when they are released and determine whether to include them in a firmware update.
BrightSign will continue to monitor further security developments and employ new mitigations when appropriate.
Java Apache Log4j
BrightSignNetwork.com, BSN.Cloud, BSNEE, and BrightAuthor:connected do not use log4j and are not impacted by the related vulnerability.
...
BrightSignOS does not contain Java. We do package the Java runtime as an extension: any customers who use the Java extension should audit their application to confirm if they use log4j, and if so, use a patched version that is not susceptible to CVE-2021-44228.
BrightSign Network
All BSN servers are hosted using Amazon Web Services (AWS). Amazon has patched all instances on their EC2 service to protect from the Meltdown and Spectre vulnerabilities.
...