'Spectre' & 'Meltdown' – What Cloud Users Need to Know

Don't forget to upgrade your browsers; vendors dispute reports of significant performance slowdowns due to patching; and containers and hypervisors don't get a free pass.

Mitch Wagner, Executive Editor, Light Reading

January 8, 2018

6 Min Read
'Spectre' & 'Meltdown'  – What Cloud Users Need to Know

For enterprise cloud users worried about Spectre and Meltdown, there's good news and bad news. The good news is that cloud users don't have any special vulnerabilities compared with their legacy and consumer counterparts.The bad news is that the cloud doesn't provide any special protections either.And cloud applications face special challenges due to the nature of how they operate and are consumed.News of the Spectre and Meltdown threats broke last week. These are separate, but similar, vulnerabilities. Meltdown affects nearly every Intel processor made since 1995, and Spectre affects Intel Corp. (Nasdaq: INTC), Advanced Micro Devices Inc. (NYSE: AMD) and ARM Ltd. processors, according to a web page posted by the researchers who discovered the vulnerabilities. The vulnerabilities can allow an attacker to read any information stored in memory, including passwords, proprietary business data and confidential user information. (See New Intel Vulnerability Hits Almost Everyone and Intel Chip Vulnerability Sends Cloud Providers Into Patching Overdrive.)At least three billion chips have the Spectre security hole, the more widespread of the vulnerabilities, according to a report on MIT Technology Review. That's all Apple Mac and iOS products, with the exception of the Apple Watch, for a total of a billion or so devices. Android devices number more than two billion, and the security flaw could affect about 500 million of those. (See Intel: We've Patched Most Chips for 'Spectre' & 'Meltdown'.)On the PC and server side, Intel and AMD account for more than a billion chips. Smaller chipmakers, such as IBM Corp. (NYSE: IBM), say some of their chips are affected as well.Chip and software vendors are rolling out patches, but these only mitigate the problem. The ultimate cure will be replacing the affected systems.Until then, users need to install patches on on-premises systems, and stay on top of their cloud providers to ensure those services are patching their systems as well."This is no different than bugs that come out every year. This just means you have to stay on top of the game. You have to patch," Manoj "Marty" Puranik, president and CEO of cloud hosting provider Atlantic.net, tells Enterprise Cloud News.Figure 1:Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.Browsers are a particular concern to cloud users, because cloud applications are frequently consumed through the browser. An attacker wanting to take advantage of the Spectre vulnerability needs to run code on a victim's computer, and a good way to do that is to post JavaScript to a website and then trick the user into visiting the site, through a phishing email or other subterfuge.To protect themselves, Google (Nasdaq: GOOG) recommends Chrome users turn on site isolation in the browser. The extra security helps stop a website from stealing data from another website, Google says. Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, to be released on or around January 23, and future Chrome releases will "include additional mitigations and hardening measures which will further reduce the impact of this class of attack," Google says.Microsoft Corp. (Nasdaq: MSFT) has already issued security updates which protect Microsoft Edge and Internet Explorer 11. Mozilla includes mitigations in beta and developer editions of Firefox. And Apple Inc. (Nasdaq: AAPL) said Friday it expects to release an update to Safari protecting against Spectre within days.Do patches slow down performance?Early reports said that mitigating the vulnerabilities would slow performance drastically. Slowdowns would be up to 20% according to Red Hat, and 5-30% according to The Register.But Google says the worst results come from unusual compute loads. Some of the tests demonstrating significant performance problems "focus solely on making API calls to the operating system, which does not represent the real-world scenario that customer software will encounter," the company said in a blog post Friday.Next page: What about containers and hypervisors?Google adds, "We believe solutions exist that introduce minimal performance impact, and expect such techniques will be adopted by software vendors over time. We designed and tested our mitigations for this issue to have minimal performance impact, and the rollout has been uneventful."And the company said in a Thursday blog post: "On most of our workloads, including our cloud infrastructure, we see negligible impact on performance."Tobi Knaup, Mesosphere co-founder and chief technology officer, agrees that the reports of drastic performance hits are overblown. "There has been speculation online that the current mitigation approach will have significant impact on performance. While this has been confirmed in synthetic benchmarks, most workloads are only minimally impacted under real conditions," he says in an email statement to Enterprise Cloud News. "We're still working through benchmarks of our own products and won't have any confirmed findings on this topic until the end of the [this] week. Given what we know now, we tend to agree with others that have stated the patches won't impact performance significantly under real conditions."Real performance cost will likely be under 2%, says Check Point Software Technologies Ltd. (Nasdaq: CHKP) Chief Marketing Officer Peter Alexander, adding that all Check Point security gateways are unaffected by the vulnerability.What about containers and hypervisors?The bad news: Containers don't confer any special immunity with regard to Spectre and Meltdown. The good news: Containers don't present any special risk either."Containers and Kubernetes behave like any other process on a Linux or Windows system," CoreOS Inc. Chief Technology Officer Brandon Philips says in an email to Enterprise Cloud News "All applications that have Spectre vulnerabilities when run outside of a container will have Spectre vulnerabilities when run inside a container as well. Fixes to Spectre will require changes to application architecture or recompilation from source code."He adds, "Applications with Spectre issues will have those issues whether they are in a container or not. And containers may actually help make upgrading easier."Knaup agrees: "Meltdown and Spectre affect almost every computing device and operating system currently in use, including virtualized and containerized applications. We're advising our customers to upgrade their operating systems to the patched versions provided by the vendors to mitigate these attacks. DC/OS [Mesosphere's data center software platform] customers are fortunate that they are able to perform rolling upgrades to patch the vulnerabilities without any application downtime."Similarly, the Xen hypervisor for virtualization is vulnerable to information leaks but not escalated privilege, according to a Xen Project blog post. The Xen Project has a prototype patch, and is working on finalizing solutions, the group says.Microsoft incorporates mitigation for its Hyper-V hypervisor in Windows patches released last week. And it has updated the Azure cloud to protect against the vulnerability. VMware has patches available for its virtualization products as well.Related posts:Intel: We've Patched Most Chips for 'Spectre' & 'Meltdown'Intel Chip Vulnerability Sends Cloud Providers Into Patching OverdriveMIT Warns of Ransomware in the Cloud, Weaponized AI— Mitch Wagner     Editor, Enterprise Cloud News

About the Author(s)

Mitch Wagner

Executive Editor, Light Reading

San Diego-based Mitch Wagner is many things. As well as being "our guy" on the West Coast (of the US, not Scotland, or anywhere else with indifferent meteorological conditions), he's a husband (to his wife), dissatisfied Democrat, American (so he could be President some day), nonobservant Jew, and science fiction fan. Not necessarily in that order.

He's also one half of a special duo, along with Minnie, who is the co-habitor of the West Coast Bureau and Light Reading's primary chewer of sticks, though she is not the only one on the team who regularly munches on bark.

Wagner, whose previous positions include Editor-in-Chief at Internet Evolution and Executive Editor at InformationWeek, will be responsible for tracking and reporting on developments in Silicon Valley and other US West Coast hotspots of communications technology innovation.

Beats: Software-defined networking (SDN), network functions virtualization (NFV), IP networking, and colored foods (such as 'green rice').

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like