Spectre and Meltdown vulnerability

Back

We would like to inform you in this form of an important event (about which you may already know yourself). It also applies to the security of your SQL Servers. We think we should have this initiative from our side.

This is a new form of Spectre (branch target injection) and Meltdown (rogue data cache load) attacks that opens the attacker software's ability to interfere with OS isolation and gain access to sensitive encrypted data of other applications in the server's memory. This bug is caused by the bugs found in the processor architecture (Intel) running on (usally) all of your SQL servers. More Info about these attacks can be found here and here. The problem concerns both physical and virtualization hosts.

What to do:

Verify the status of your servers using the PWshell tool.
It is necessary to go to the pages of each vendor of your Hardware and follow their recommendations. This will primarily involve patching the BIOS, OS, and application layer. From the point of view of Microsoft, we already know that it is pushing for new security updates for OS (KB4056892) that need to be implemented, in the SQL Server area and we are expecting the release of new CUs in the near future (so far we have release only for SQL 2016 SP1 and 2017).

Impact on building systems. After deploying fixes, your systems will experience performance in single-threaded operations typically maintained by the server in RAM and by shared IO disk readings (including NvME). So OLTP transaction systems will record a serious 8-20% performance slowdown. It should be remembered that this can not be avoided if you do not want to operate our systems in an unsecured environment. We still recommend to patch servers and secure them from this thread. 

 

More information about the event is also provided by the vendors themselves.

Cisco

CPU Side-Channel Information Disclosure Vulnerabilities

Dell

Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)

Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products  (This is for client hardware)

Fujitsu

CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

HPE

Side Channel Analysis Method allows information disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

Huawei

Security Notice – Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design

IBM

Potential CPU Security Issue

Lenovo

Reading Privileged Memory with a Side Channel

 

Resources (Thanks to Glenn Berry):

https://www.sqlskills.com/blogs/glenn/microsoft-sql-server-updates-for-meltdown-and-spectre-exploits/

https://www.sqlskills.com/blogs/glenn/performance-effects-of-meltdown-and-partial-spectre-fixes-on-intel-core-i7-7500u-laptop/

 

 

More tips and tricks

TechEd 2019
by Michal Tinthofer on 09/05/2019

We will be presenting at TechEd in Prague next week!

Read more
Usefull SQL Tools
by Michal Tinthofer on 24/07/2013

A few weeks ago a had task to create procedure for testing workload from production server on test environment.Itsurely wasn't a big deal, but I need to learnmanycustomer employees to repeat this task on regular base. I started to look if somehow I could

Read more
SMT 1.9 is ready
by Jiri Dolezalek on 12/05/2023

What to expect from new SMT version?

Read more