From the Inside January/February 2018
Spectre and Meltdown
By now, you have probably heard all about the major bugs in Intel, ARM, and AMD processors. Since this vulnerability affects just about all processor types, you will probably need to update your phone, your tablet, your PC, and all of your servers in the coming weeks. Why and how does it affect everything?
What is this Bug About?
I hope everyone has been trying to keep up with the details of this bug, but in case you are not completely sure what it is, I'll cover the key points.
Modern (since the early 2000s) processors use what's known as "out-of-order" execution. This is somewhat similar to the way databases will read-ahead on the disk to improve performance. The CPU will execute a series of instructions before the first one has been completed.
Unfortunately, an attacker can pass code that will fail and, using some trickery and the magic of caches, build and steal (at up to 500 kb/s ) all of the kernel memory. This means things like passwords, that are normally secured in kernel memory, can be stolen very easily by an attacker.
Should I Patch?
This is a deadly serious bug, that is easy to exploit. Patching the problem has been more complex than originally thought. Make sure you go through your normal test cycle with patch validation. None of the patches provided have gone through major testing so there may be issues that crop up over the next year.
Here is a good comprehensive listing of patches, provided by Allan Hirt of SQLHA. Yes, I know, it's an SQL site, but he did a really good job putting together the most comprehensive reference I've seen so far.
Will this affect my VMWare guest?
Actually, this bug means that it can be used to read information across guest boundaries. So if one guest is running code using this exploit, its able to access information that another guest was using.
Will This Impact My Performance?
We are only just now figuring out how big of a hit we will take on speed of execution. I've talked to the MultiValue Database providers to see what their thoughts are. As of this writing, they are still evaluating. It really depends on the file types that are being used, and how your database is setup to cache frames and groups in memory. Check with your database providers to find out your options.
If you are running on virtual hardware, then there is a large chance that you will see more of an impact than databases running on bare metal.
In order to help with performance, Microsoft is offering a registry option to not include the microcode fixes. The advantage being that the patch would become optional, but in the longer term, if you are audited, you may be out of compliance.
All this will get better over time as software patches are released and databases are altered to run fewer kernel calls. (This is something that jBase is currently doing with their Dynamic Files).
Ultimately, the CPU chips will be fixed. Intel has already committed to a fixed chip set by the end of the year. Personally I would wait until they have had enough of these chips running before upgrading since I believe this will be a bigger issues to resolve than they are letting on. We have already seen lots of "rush job" patches come out of Intel, which they withdrew within 24 hours of release.
You should also read more here: