MELTDOWN AND SPECTRE UPDATE
Wednesday, February 7, 2018
Following on from my initial update of 5th January regarding the Meltdown and Spectre vulnerabilities affecting virtually every CPU purchased over the last 10 years, I thought it prudent to let you know the position today, and our plans to roll out relevant patches.
Our initial focus is on our customers running on our Platform as a Service (PaaS) solution, where there is the potential that one customer by introducing a threat could impact on another, although we will be applying latest updates to all our supported customers over the coming months.
The situation is however more complex than simply updating windows through the normal monthly patching cycle – patches must be applied at several tiers of the infrastructure.
UEFI firmware and BIOS updates. After releasing CPU microcode updates, Intel identified issues with the new code for the last two generations of CPU and withdrew those updates – meaning server vendors had to withdraw BIOS updates that included it. We are currently waiting for Intel to release revised microcode and the server manufacturers to re-release BIOS/UEFI updates including the fixed code. We will wait for a period before rolling out these updates in case of further quality issues.
VMWare A series of patches have been released for differing versions of ESXi from 5.5 onwards. Therefore anyone below version 5.5 requires upgrading, and we are therefore taking the opportunity to upgrade all supported customers to v6.5. Our PaaS platform has been updated to run the latest patches available for each cluster.
Microsoft patches - Initial testing by Microsoft found a compatibility issue with certain anti-virus products which could cause system crashes. The latest Windows updates therefore require the presence of a specific registry key, set by the anti-virus provider once they have confirmed their release is compatible, or where anti-virus isn’t installed the key must be manually set. Spectre variant 2 still requires firmware updates for full mitigation, which are currently not available. It is important that all servers are updated as the patches include fixes for other security issues as well as Meltdown/Spectre. All Windows Updates going forward will require the presence of the registry key to flag compatibility before new updates will be detected as applicable.
Linux patches - have been release that mitigate both variants of Spectre, however variant 2 still requires firmware updates for full mitigation, as with Windows above.
Some performance impact has been observed when the mitigations for Spectre are enabled – these vary depending largely on the age of the CPU. We are monitoring to see what effect these have on specific workloads and will work with our customers to ensure the user experience is not impacted.