skip to Main Content

blog Meltdown Spectre

Massive security issues have been announced today, grabbing the attention of technology executives everywhere.  “Meltdown” and “Spectre” are essentially bugs responsible for leaking sensitive data by exploiting vulnerabilities in modern processors. These are found at a fundamental level and allow critical information such as passwords, proprietary information or encrypted communications to be exposed.

What exactly are these “bugs” doing?

Meltdown and Spectre affect personal computers, servers, mobile devices, and the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers. So what does that mean to you?

The bottom line is that any chip manufactured the past few decades could be vulnerable at the hardware architecture level, which means that regardless of the OS, any software platform running on hardware that contains those chips could be vulnerable.  It’s important to note, however, that exploiting this vulnerability requires local account access to the hardware itself along with a very rigorous and challenging process to access and extract sensitive information.

Meltdown & Specter + SAP… Cue the kernel panic

While Meltdown and Spectre are most certainly relevant to everyone, they can be of particular concern to those running SAP landscapes in Cloud environments. This is due to the especially sensitive nature of the data passed between distributed systems that not only operate in concert to support business processes, but also run in shared infrastructure environments where a low-level vulnerability of this magnitude could facilitate access to another tenant’s sensitive data.

A lessor, but still disconcerting element of this vulnerability is that patching against it may in fact negatively impact CPU performance through implementation of technologies like Kernel Page Table Isolation (KPTI) which isolate user-mode processes from kernel memory. Application and database platforms that are heavily dependent on CPU horsepower and/or make frequent system calls may be particularly susceptible, though there are high profile R&D teams producing benchmarks that suggest minimal impacts for many workloads.

Regardless of impact, running SAP in the Symmetry Cloud means access to the full skill set of our on-staff Consultants and Engineers, dedication to a secure environment, and a commitment to performance through SLAs.

How can I know who’s been affected?

The short answer is nearly every computer and device has been affected – and fixes can be completed partially, and over time. While many devices are “affected” or “vulnerable” to these flaws, that’s not the same thing as saying they’re wide open to attack. Intel, AMD, ARM and others have spent the past few months creating workarounds and mitigations, while researchers investigated and collaborated on solutions.

How should your provider be responding?

Symmetry is already protecting our customers by performing rolling upgrades of all VMWare ESXi hosts that provide Intel-based hosting for Windows and Linux operating systems (including HANA) in all of our data center locations. This addresses recent critical hardware vulnerabilities CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 which present risk of non-privileged processes ability to access privileged kernel space.

For the vast majority of systems this activity should not impact the availability of your systems and many hosts are already protected by patches deployed last November.  Furthermore, our experts are providing verification and testing of the changes with these updates to the environment to address the critical security risks, and keep our systems operating at peak performance.

If you are not hosted on the Symmetry cloud, we recommend that you address this vulnerability ASAP with your cloud provider and/or internal IT staff. We are happy to provide additional recommendations or guidance to support this effort.

The Future

Unfortunately, this likely won’t be the last we hear from Meltdown/Spectre as the ultimate fix can only come from the chip manufacturers themselves. Until this happens, there will remain a risk that those who actively exploit such vulnerabilities will find a way around this kernel fix and future patches will be required. Rest assured that if you have robust layered security, best practices and adhere to a regimented patching schedule—which we do on the Symmetry Cloud—these vulnerabilities are very difficult to exploit.

 

Matt Lonstine, Director of Delivery

A Leader and SAP technical veteran, Matt Lonstine oversees the SAP Technologists that make up Symmetry’s Delivery team, while providing strategic guidance to customers. Matt has managed and executed some of Symmetry’s most complex projects with a current focus on HANA, virtualization, disaster recovery, system hardening, and migrations to Symmetry’s SAP Cloud environment.