We recommend that you patch the hypervisors where Device42 VM(s) is running. There is still some confusion about whether the VMs or Guest OS needs to be updated or not, especially given the locked down nature of the Device42 appliance. Out of an abundance of caution, we will be issuing an update to patch these as soon as they are available for the OS’s in use. We use ubuntu 14.04 LTS for Device42 appliance and we are still waiting for an official patch and will have an update ready soon after patch is available: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
Also, we use CentOS 7.3 for the remote collector. CentOS has released a patch and we are working on getting a release out with the fix for CentOS.