Spectre and Meltdown vulnerability

Back

We would like to inform you in this form of an important event (about which you may already know yourself). It also applies to the security of your SQL Servers. We think we should have this initiative from our side.

This is a new form of Spectre (branch target injection) and Meltdown (rogue data cache load) attacks that opens the attacker software's ability to interfere with OS isolation and gain access to sensitive encrypted data of other applications in the server's memory. This bug is caused by the bugs found in the processor architecture (Intel) running on (usally) all of your SQL servers. More Info about these attacks can be found here and here. The problem concerns both physical and virtualization hosts.

What to do:

Verify the status of your servers using the PWshell tool.
It is necessary to go to the pages of each vendor of your Hardware and follow their recommendations. This will primarily involve patching the BIOS, OS, and application layer. From the point of view of Microsoft, we already know that it is pushing for new security updates for OS (KB4056892) that need to be implemented, in the SQL Server area and we are expecting the release of new CUs in the near future (so far we have release only for SQL 2016 SP1 and 2017).

Impact on building systems. After deploying fixes, your systems will experience performance in single-threaded operations typically maintained by the server in RAM and by shared IO disk readings (including NvME). So OLTP transaction systems will record a serious 8-20% performance slowdown. It should be remembered that this can not be avoided if you do not want to operate our systems in an unsecured environment. We still recommend to patch servers and secure them from this thread. 

 

More information about the event is also provided by the vendors themselves.

Cisco

CPU Side-Channel Information Disclosure Vulnerabilities

Dell

Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)

Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products  (This is for client hardware)

Fujitsu

CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

HPE

Side Channel Analysis Method allows information disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

Huawei

Security Notice – Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design

IBM

Potential CPU Security Issue

Lenovo

Reading Privileged Memory with a Side Channel

 

Resources (Thanks to Glenn Berry):

https://www.sqlskills.com/blogs/glenn/microsoft-sql-server-updates-for-meltdown-and-spectre-exploits/

https://www.sqlskills.com/blogs/glenn/performance-effects-of-meltdown-and-partial-spectre-fixes-on-intel-core-i7-7500u-laptop/

 

 

More tips and tricks

SMT 1.1 - updates
by Michal Tinthofer on 07/12/2020

Another changes to SMT are done and ready for the release

Read more
LATCH_EX Waits
by Michal Kovaľ on 27/04/2022

Recently we had a request to optimize LATCH_EX waits on one of the production servers for our customer. Today I would like to share with you our apporach and how we handled the situation.

Read more
Why is using proper ANSI settings important
by Jiri Dolezalek on 20/05/2021

You might have been wondering what all those ANSI settings are and how they can affect you work.

Read more