Security: Meltdown and Spectre
- Written by Jeffrey Smith
- on Jan 5, 2018
A recent critical security announcement for three bugs CVE-2017-5715 CVE-2017-5753 and CVE-2017-5754 which have been nicknamed meltdown and spectre. These were found by multiple people, including Jann Horn, who works for projects Zero at Google. He has done an excellent write up on exactly how he found the Issues.
As with any new serious vulnerability found these days it has to have a catchy name, matching logo and dedicated website that says this about the two issues -
"Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents."
These security issues have been hidden in Intel CPU's since 1995 undiscovered until now. Spectre can also effect AMD and ARM CPU's because these processors also implement speculative instruction execution features, which means pretty much every major manufacturer. The good news though is there are currently no known active uses of the exploit.
Hornbill's own cloud is running a mix of the CentOS Linux distribution and Windows. Both Of these OS's are affected by these issues so will require patching when they are made publicly available. Our "Secure By Design" approach means we run our own bare-metal hardware and do not provide direct access to our systems to anyone outside of our own operations team. We are in full control of the software we execute on our systems, our customers are not able to run code on our systems, only access the services we provide, which significantly limits the exposure we have for these vulnerabilities.
The patch process for this will be the same as usual with the exception of starting to applying as soon as they are available. The process is to push to our development environment and run our tests. We then push to our beta environment which is used internally by Hornbill as our production system. If no issues are found here normally after 48 hours we then push to our productions machines.
There has been speculation that performance degradation anywhere between 5% and 30% my be experienced after applying the patches. We will of course be monitoring this after applying any patches and do what we can to mitigate this impact for our customers.
As this will be an OS/Kernel update a reboot will be required of the production systems in the usual maintenance windows.