Support Portal

Spectre and Meltdown

Security vulnerabilities affecting many Intel, AMD and ARM processors, called Spectre and Meltdown, have recently been disclosed. These are potentially significant vulnerabilities affecting millions of devices worldwide, that both CPU, OEM and OS vendors are working to resolve.

Full details on the vulnerabilities can be found in this article: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

Patches and firmware are now being released to protect against these vulnerabilities. In some cases, vendors are reporting that while these can have a performance impact, this is not significant in the majority of workloads. 

Most other organizations running virtualized infrastructures have also not reported material performance impacts for the majority of workloads, including Amazon EC2, who like Zynstra, make use of the Xen hypervisor. AWS and Amazon have released the following articles reporting no significant performance impact:  https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ and https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

Zynstra is testing and benchmarking these patches, and will automatically deploy them to hardware firmware, hypervisors and infrastructure and Zynstra managed VMs on its systems as part of our standard keep current process. This page will be kept updated as further information becomes available, and individual customers will be contacted in advance as normal prior to the installation of any patches to ensure a suitable maintenance window.

 

For Custom VMs (which are not managed by Zynstra e.g ZAPP1, ZAPP2), customers and partners should ensure operating system patches are deployed. For Windows operating systems, unlike most updates, manual steps are sometimes needed firstly to receive the patch via Windows Update as explained here: https://support.microsoft.com/en-ca/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software (though the patches can also be downloaded and installed manually).

Once the patch is installed, for it to provide complete mitigation on Server editions, manual steps in the form of setting registry keys are needed to enable the mitigation as explained here: https://support.microsoft.com/en-ca/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

 

These vulnerabilities allow unprivileged processes running on unpatched systems to potentially read, but not write, delete or corrupt, the memory spaces of other privileged and unprivileged processes. The vulnerabilities cannot be remotely triggered and exploited, meaning that following general IT security best practices such as separation of VMs, user privileges and access, and keeping systems up-to-date and secured (which the Zynstra solution is designed to do in terms of its infrastructure layers) will provide some mitigation against external actors looking to exploit these vulnerabilities by preventing exploit code being delivered to and running on target systems.

Was this article helpful? 0 out of 0 found this helpful
Have more questions? Submit a request