Contact Us

Spectre and Meltdown vulnerability

Back

We would like to inform you in this form of an important event (about which you may already know yourself). It also applies to the security of your SQL Servers. We think we should have this initiative from our side.

This is a new form of Spectre (branch target injection) and Meltdown (rogue data cache load) attacks that opens the attacker software's ability to interfere with OS isolation and gain access to sensitive encrypted data of other applications in the server's memory. This bug is caused by the bugs found in the processor architecture (Intel) running on (usally) all of your SQL servers. More Info about these attacks can be found here and here. The problem concerns both physical and virtualization hosts.

What to do:

Verify the status of your servers using the PWshell tool.
It is necessary to go to the pages of each vendor of your Hardware and follow their recommendations. This will primarily involve patching the BIOS, OS, and application layer. From the point of view of Microsoft, we already know that it is pushing for new security updates for OS (KB4056892) that need to be implemented, in the SQL Server area and we are expecting the release of new CUs in the near future (so far we have release only for SQL 2016 SP1 and 2017).

Impact on building systems. After deploying fixes, your systems will experience performance in single-threaded operations typically maintained by the server in RAM and by shared IO disk readings (including NvME). So OLTP transaction systems will record a serious 8-20% performance slowdown. It should be remembered that this can not be avoided if you do not want to operate our systems in an unsecured environment. We still recommend to patch servers and secure them from this thread. 

 

More information about the event is also provided by the vendors themselves.

Cisco

CPU Side-Channel Information Disclosure Vulnerabilities

Dell

Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)

Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products  (This is for client hardware)

Fujitsu

CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

HPE

Side Channel Analysis Method allows information disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

Huawei

Security Notice – Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design

IBM

Potential CPU Security Issue

Lenovo

Reading Privileged Memory with a Side Channel

 

Resources (Thanks to Glenn Berry):

https://www.sqlskills.com/blogs/glenn/microsoft-sql-server-updates-for-meltdown-and-spectre-exploits/

https://www.sqlskills.com/blogs/glenn/performance-effects-of-meltdown-and-partial-spectre-fixes-on-intel-core-i7-7500u-laptop/

 

 

More tips and tricks

SMT 1.4.0 available
by Michal Tinthofer on 26/08/2021

We will be releasing SMT 1.4 in the next couple of days.

Read more
Tool to measure Index Selectivity
by Michal Tinthofer on 05/06/2012

Sometimes when you plan to change your index design is good to know the columns of your tables. But not just a data type and max size.

Read more
Issues with Service Pack Install
by Michal Tinthofer on 13/04/2012

Recently I had some issues with SQL server 2008 R2 service pack 1 installation. From first perspective it looks like an issue with corrupted installation package, but true issue was somewhere else. It was a windows installer.

Read more