Update on Meltdown and Spectre
January 9, 2018
This past week you may have heard of two major vulnerabilities, Meltdown and Spectre, that impact the large majority of computer processors including Intel, AMD, and ARM. These vulnerabilities manipulate widely adopted performance enhancing features built into most modern CPUs. This could allow an attacker that already has compromised a system to access contents of memory that would normally be hidden.
As of this date, no known exploits have been identified by any security experts and a successful attack requires privileged access to the system with rights to run applications. Even with these mitigating factors the DataBank team is proactively taking steps to address this issue.
Vendors are working to, or have already delivered, patches for operating systems and hypervisors. We are currently evaluating the delivered patches in our test lab environments while concurrently identifying potentially affected systems.
For Colocation Customers: We suggest you evaluate the patch in your test lab environment. There are reports that application of the patch could impact CPU performance 5-30%. The impact on performance has been reported on database and application servers during peak load.
For IaaS Customers: We suggest you evaluate the patch in your test lab environment. You should apply patches to your servers after validation and testing. We will be applying patches to the underlying routers, switches, and VMware hypervisors. You will be notified if your services may be impacted in any way.
For PaaS and Managed Hosting Customers: We will initially focus on patching routers, switches, and hypervisors and lastly surrounding services systems such as load balancers and firewalls. We will schedule maintenance windows where applicable. Each maintenance window will be communicated in advance and include potential impact expectations and durations. Due to the lack of an exploit in combination with reports that installing patches has the potential to slow performance from 5-30%, we have opted to not push the patches out-of-band and ahead of schedule. Customers who utilize managed patching services for their operating system and application patches should see no changes to their existing patch window(s) for the compute layer of the environment. Operating system patches will be applied as per your current schedule. If you desire to advance the patching schedule, you may do so through a request ticket to our support teams.
DataBank runs mission-critical functions for our customers, and our team will continue to work diligently to maintain the highest level of security and uptime. Our defense-in-depth approach involves multiple levels of security that will protect your data even if one layer were to be breached via a vulnerability. For more information on Meltdown and Spectre, we recommend reading the following link posted by 451 Research on January 5th. We will continue to update our customers on steps that we are taking to address this situation. We encourage our customers to review details about this vulnerability from the U.S. Computer Emergency Response Team (US-CERT) at https://www.us-cert.gov/. Further reading and academic papers on the subject can be found at https://meltdownattack.com/. We will continue to communicate with impacted customers as needed and provide the consultation and guidance necessary to see us all through this challenging effort.