On January 3, two major vulnerabilities in computer chips made by Intel, AMD, ARM and others were made public. Collectively, the two issues are being referred to as Meltdown and Spectre, and they could allow low-privilege processes to access kernel memory that is allocated to other running programs. Patches have been released at this time for Meltdown by almost every major operating system vendor, and we are in the process of deploying them on our major systems. Deployment of these patches will result in varying performance impacts, depending on your workload. Based on the high profile nature of the Meltdown hardware vulnerability, along with the existence of examples of exploits in the wild, we have no choice but to deploy patches on all systems. Below we list our mitigation strategies for Meltdown for each system. Existing patches also fix some Spectre exploits that are known, but there may be further patches as discovery continues.
For further information regarding Meltdown and Spectre:
- https://www.safecomputing.umich.edu/security-alerts/apply-updates-computer-chip-vulnerabilities%E2%80%94meltdown-spectre
- https://meltdownattack.com/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
- https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
ARC-TS Systems:
Flux/Armis: CentOS has released packages to mitigate against Meltdown. These packages are being installed during the winter maintenance.
ConFlux: IBM’s PowerPC architecture is not known at this time to be impacted by Meltdown. The impact of Spectre is still being evaluated.
Flux Hadoop: CentOS has released packages to mitigate against Meltdown. These packages are being installed during the winter maintenance.
YBRC: We do not anticipate any outages and will use our standard procedure for upgrading. ARC-TS is working closely with Yottabyte and the upstream sources to get a patch ready to mitigate Meltdown impacts for the platform. The only user-facing impact should be a degradation of storage performance and a brief suspension of networking when a VM migrate hosts (usually drops a single ping). The timeframe for applying the patch is still unknown at this time, but we intend to push forward with patching the hosts as soon as they become available. ARC-TS will send out follow-up notifications before starting the patch process. Applying patches to the various VMs/hosts/containers will require a restart of the affected machine after patches have been applied.
Turbo: Meltdown impacts to Turbo are low, and we have not received any guidance on Dell/EMC/Isilon procedures at this time.
