Update and Direction on Spectre and Meltdown Attacks

By Dorota Gibiino

10 January 2018

Spectre Meltdown

Following the recent global announcements relating to the vulnerabilities ‘Spectre’ and ‘Meltdown’ Centiq would like to share with our customers what we believe are the key points so far. There is large amount of information available, a good place to start being: Meltdown Attack

Operating System vendors have already released patches for these vulnerabilities. Links to the Red Hat and SUSE updates are referenced in this article. Use these links to understand how you may be affected, as they will also provide the most up to date information available. Please note, these articles will continue to change over time.

It is beneficial to always perform regular patching, however, be aware that this exploit requires the ability to execute code locally. Systems that do not readily provide a way for attackers to execute code locally face significantly lower risk.

Performance benchmarks on systems that have been patched, indicate that there will be an impact and increased overhead following application of these updates. This impact will vary. Applications that conduct a large amount of switching between user and system space are likely to hardest hit. So in theory a database system like HANA is likely to see a performance hit. Testing this impact on your most critically fast processes is recommended, but with the lightning fast performance of HANA systems, chances are your users will not notice the difference. So test that your system still delivers the performance you need and address the performance constraint if it is significant, don’t.

If you require a more comprehensive performance assessment of the patch, or think it’s time to assess general security of your systems, please get in touch with Centiq.

Additional information and considerations:

When applying these security updates, it will require disabling or bypassing the benefits provided by TSX Intel instruction, which HANA uses. This could potentially create performance issues which were not considered in the original HANA sizing.

Note released by SAP – 2585891:

“We are currently investigating the disclosed processor (CPU) security issues and will provide further details as they become available. Although these issues are not caused by SAP software, we recommend that all customers implement security patches provided by hardware and operating system providers as soon as they become available. Timely security patching of all IT systems is also the best method of protecting the SAP infrastructure.”

SUSE releases patches. Please note you must be on SLES11 SP4:

Up to date information on all patches have been released here: Technical Information Document Page.
Details on specific vulnerabilities will be posted here in CVE reports:

  • https://www.suse.com/security/cve/CVE-2017-5753/
  • https://www.suse.com/security/cve/CVE-2017-5715/
  • https://www.suse.com/security/cve/CVE-2017-5754/

Red Hat releases patches:
Up to date information on all patched have been released here: Kernel Side-Channel Attacks – CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
Details on specific vulnerabilities will be posted here in CVE reports:

  • https://access.redhat.com/security/cve/CVE-2017-5753
  • https://access.redhat.com/security/cve/CVE-2017-5715
  • https://access.redhat.com/security/cve/CVE-2017-5754

Please be aware, that applying maintenance updates will require a reboot for SuSE and Red Hat Linux Operating Systems. This update will require downtime and may lead to reduced performance of some applications.

This page will be updated with any new information as it becomes available.

*This is generic information regarding systems running SAP applications, however is not specific to SAP HANA appliances.

By Dorota Gibiino

10 January 2018