Meltdown and Spectre Response

Overview

The Meltdown CVE-2017-5754 and Spectre CVE-2017-5753CVE-2017-5715 vulnerabilities affect modern microprocessors, such as those made by Intel.

Impact Summary

In a nutshell, these vulnerabilities are the result of physical design of some modern microprocessors. In order to increase the perceived speed of the core, the processor is designed to anticipate the next likely set of instructions, pre-process that result in parallel to whatever it is currently working on, and store that result. If that execution path is followed, the work is already done and the core can move on to whatever is next, if not, there is minimal cost for having done this predictive work.

Where the problem arises is when the predicted instruction is something that works with protected cache memory, before authorization to that protected memory has actually been given. If the "authorization" never happens, an attacker could still access that predicted result directly from memory.

In reality, an attack is very difficult to orchestrate, but virtually any data in an unpatched system could potentially be exposed. Patches have been applied at the hypervisor level for all Engine Yard maintained instances.

More about Meltdown and Spectre:

https://www.redhat.com/en/blog/what-are-meltdown-and-spectre-heres-what-you-need-know

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

https://lwn.net/Articles/742702/

https://www.meltdownattack.com

https://www.spectreattack.com

Initial Response

For  AWS and other multi-tenant service providers, it was vital to roll-out these updates immediately to ensure there was no risk of inappropriate data exposure between guests across hypervisor and hardware boundaries. Your Engine Yard supplied virtual environment is not multi-tenant, so the patches applied to the hypervisor level ensure your data is secure to the local system. Any remaining exposure, would either be the result of an internal attack, or through a secondary exploit the existence of which would be problematic all on its own.

Ongoing Response

At the time of this writing there are still bugs and issues being identified in the upstream Linux Kernel patches which may impact operational stability. Engine Yard is monitoring all relevant developments with regards to the Meltdown and Spectre vulnerabilities, and specifically keeping track of the status of relevant Linux Kernel patches and updates addressing the Meltdown and Spectre vulnerabilities. Engine Yard will fully resolve Meltdown and Spectre, to the extent a resolution is available in software, as soon as the available resolutions have matured to a stable state. While the software side of the industry works diligently to come up with patches to fix Meltdown and mitigate Spectre, only future hardware changes will fully resolve the issues with Spectre.

Once updates have been released, they will require a stack upgrade and either instance replacement or manual upgrade with reboot. These updates will only be available for Engine Yard Stacks Stable-v4, Stable-v5, and higher.

Due to the nature of the mitigation required so far against these vulnerabilities, the applied Linux kernel updates will reduce performance for some workloads. The magnitude of the performance impact will vary depending on the specifics of the workload. We encourage customers to monitor the performance of critical workloads after the update is applied. Setting up a staging environment to gauge the impact of these updates is recommended. If you need any assistance with this please reach out to our support team.