Obviously there has been a lot of chatter about Spectre and Meltdown. Here is some, limited, info about patching and mitigation from some the vendors. Patches are available for most products, with some limiting factors. With the scope of these vulnerabilities some performance impact can be expected. Redhat's Performance Team released the following information about the mitigation of these CVS on (most likely) redhat systems:
Measureable: 8-19% - Highly cached random memory, with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions are impacted between 8-19%. Examples include OLTP Workloads (tpc), sysbench, pgbench, netperf (< 256 byte), and fio (random I/O to NvME).
Modest: 3-7% - Database analytics, Decision Support System (DSS), and Java VMs are impacted less than the “Measurable” category. These applications may have significant sequential disk or network traffic, but kernel/device drivers are able to aggregate requests to moderate level of kernel-to-user transitions. Examples include SPECjbb2005, Queries/Hour and overall analytic timing (sec).
Small: 2-5% - HPC (High Performance Computing) CPU-intensive workloads are affected the least with only 2-5% performance impact because jobs run mostly in user space and are scheduled using cpu-pinning or numa-control. Examples include Linpack NxN on x86 and SPECcpu2006.
Minimal: Linux accelerator technologies that generally bypass the kernel in favor of user direct access are the least affected, with less than 2% overhead measured. Examples tested include DPDK (VsPERF at 64 byte) and OpenOnload (STAC-N). Userspace accesses to VDSO like get-time-of-day are not impacted. We expect similar minimal impact for other offloads.
NOTE: Because microbenchmarks like netperf/uperf, iozone, and fio are designed to stress a specific hardware component or operation, their results are not generally representative of customer workload. Some microbenchmarks have shown a larger performance impact, related to the specific area they stress.
https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
2018 Jan 07: Candidate kernels are beginning to be made available for testing at ppa:canonical-kernel-team/pti. This initial round will address CVE-2017-5754 (aka Meltdown or Variant 3) for x86_64. We will address CVE-2017-5715 and CVE-2017-5753 (aka Spectre or Variant 1 & 2) in a subsequent round. We will also address additional architectures in subsequent rounds. Kernels currently available are as follows. We will continue to update this table as more become available:
- Artful 17.10
- Xenial 16.04
- Trusty 14.04
Core / Cloud Image Updates - TBD
https://access.redhat.com/security/vulnerabilities/speculativeexecution
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 6.7 Extended Update Support**
- Red Hat Enterprise Linux 5 Extended Lifecycle Support*
https://github.com/rancher/os/releases v.1.1.3 includes an updated kernel that addresses Meltdown
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Customers using Windows server operating systems including Windows Server 2008 R2 Service Pack 1, Windows Server 2012 R2, and Windows Server 2016 need to apply firmware and software updates as well as configure protections. See Microsoft Knowledge Base Article 4072698 for additional information, including workarounds.
- Windows Server, version 1709 (Server Core Installation)
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
https://coreos.com/blog/container-linux-meltdown-patch
New releases of Container Linux addressing the Meltdown attack, caused by vulnerabilities in many modern processors, are now available in all three Container Linux release channels: Alpha 1649.0.0, Beta 1632.1.0, and Stable 1576.5.0. Updates are rolling out to the Alpha and Beta channels now, and should complete over the next 24-48 hours. By default, Container Linux will apply these updates automatically, but systems with non-default configurations should be manually updated as soon as possible.