This page outlines how the Meltdown (CVE 2017-5715) and Spectre (CVE-2017-5753, CVE-2017-5754) vulnerabilities apply to BrightSign players and the BrightSign Network. This statement is based on information from Broadcom (the SoC supplier for BrightSign), Arm (the CPU vendor for Broadcom), and others.
The Meltdown vulnerability has two variants: Variant 3 is common to all Intel x86 CPUs and a single Arm CPU core design, while Variant 3a is a minor vulnerability related to Arm CPUs.
Since BrightSign players do not use Intel CPUs or the affected Arm CPU core design, they are not affected by this variant.
This vulnerability is present in the following BrightSign models: XTx43, XDx33, HDx23, LS423, and 4Kx42. This is a highly restricted variant of the Meltdown vulnerability and does not provide access to device memory. Neither Arm nor BrightSign believe that mitigations for this issue are necessary.
The Spectre vulnerabilities affect the following models: XTx43, XDx33, HDx23, LS423, and 4Kx42. They may also affect the XDx32.
Aside from standard best practices, there are a number of mitigations that improve the resilience of BrightSign players against the Spectre vulnerabilities:
- The BrightSign implementation of the Chromium web browser does not enable WebAssembly or SharedArrayBuffer.
- The BPF Just In Time complier is not enabled on BrightSign players.
- Chrome 64–due for release on January 23, 2018–will contain mitigations to protect against the Spectre vulnerabilites. BrightSign will evaluate these patches when they are released and determine whether to include them in a firmware update.
BrightSign will continue to monitor further security developments and employ new mitigations when appropriate.
Java Apache Log4j
BrightSignNetwork.com, BSN.Cloud, BSNEE, and BrightAuthor:connected do not use log4j and are not impacted by the related vulnerability.
BrightSign OS does not contain Java. We do package the Java runtime as an extension: any customers who use the Java extension should audit their application to confirm if they use log4j, and if so, use a patched version that is not susceptible to CVE-2021-44228.
All BSN servers are hosted using Amazon Web Services (AWS). Amazon has patched all instances on their EC2 service to protect from the Meltdown and Spectre vulnerabilities.
The BrightSign Network only runs trusted code on its servers, and stringent security policies protect BSN from various forms of attack that would allow for arbitrary code to be run on BSN server instances.