The internet is ablaze with articles and talk about hardware security flaws found recently in most modern processors, including chips from Intel and AMD – that is, in the processors used by everyone who runs software to provide a service. In other words, all of VoltDB’s customers. We are actively working on tests of our own and will share more information as we learn about these vulnerabilities and the effects of patching them on VoltDB software.
The vulnerabilities are known as Meltdown and Spectre. In the National Vulnerability Database, they are covered by 3 CVEs:
- Security Advisory CVE-2017-5753 — Spectre variant 1
- Security Advisory CVE-2017-5715 — Spectre variant 2
- Security Advisory CVE-2017-5754 — Meltdown
All Operating System providers are providing patches and many hardware vendors are also providing firmware patches. You should consult your OS provider and hardware vendor for solutions. As of today, not all distributions have released patches. To find out the current status, check with your Operating System provider:
Can this be exploited using VoltDB?
These vulnerabilities can only be exploited by running code on the server under attack. This can be achieved with shell access to the machine from an unprivileged user, or by providing malicious code to a process running on that server.
Any potential attack through a secured VoltDB would require a user with ADMIN (the highest) security permissions to upload Java Stored Procedures or Java User-Defined Functions with malicious code. For more information see instructions for Hardening VoltDB Security and the Security chapter in Using VoltDB.
What is the impact of the security patches on VoltDB?
Many of the security patches come with warnings of possible performance impact. VoltDB is in the process of running tests to determine the scope of the impact on a few VoltDB performance workloads and will update the blog once we have more information. As always, the tests we run may not be indicative of your workload on your actual hardware and virtualization layer, so you should run your own tests to characterize any changes to performance that may affect your customers.