Pondering what we do about mitigating Spectre and Meltdown.
There's been a lot of talk about Spectre and Meltdown since Google developers first announced the vulnerabilities on January 3, 2018. Rightfully so, as this type of vulnerability is arguably the biggest security concern in the history of computing.
On January 10, 2018, in the PSIRT blog entry, IBM released information regarding the current Spectre and Meltdown vulnerabilities, which affect almost every processor in the world, including IBM Power Systems. On January 13, they also released a set of operating system PTFs for IBM i 7.1 (MF64553), 7.2 (MF64552), and 7.3 (MF64551) along with firmware PTFs previously released. On January 26, IBM released additional PTFs for IBM i 7.1 (MF64571), 7.2 (MF64565), and 7.3 (MF64568).
From the PSIRT blog entry:
Three security vulnerabilities that allow unauthorized users to bypass the hardware barrier between applications and kernel memory have been made public. These vulnerabilities all make use of speculative execution to perform side-channel information disclosure attacks. The first two vulnerabilities, CVE-2017-5753 and CVE-2017- 5715, are collectively known as Spectre, and allow user-level code to infer data from unauthorized memory; the third vulnerability, CVE-2017-5754, is known as Meltdown, and allows user-level code to infer the contents of kernel memory. The vulnerabilities are all variants of the same class of attacks but differ in the way that speculative execution is exploited.
These vulnerabilities do not allow an external unauthorized party to gain access to a machine, but they could allow a party that has access to the system to access unauthorized data.
These vulnerabilities pose a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place.
Mitigation of these vulnerabilities for Power Systems clients involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to these vulnerabilities and is a pre-requisite for the OS patch to be effective. These will be available as follows:
- Firmware patches for POWER7+, POWER8 and POWER9 platforms are now available via FixCentral. POWER7 patches will be available beginning February 7.
- Linux operating systems patches are now available through our Linux distribution partners Red Hat, SUSE and Canonical.
- IBM i operating system patches are now available via FixCentral and will continue to be rolled out through February 12.
- AIX patches are now available via AIX Security and will continue to be rolled out through February 12.
The biggest questions in the IBM i community are these: How will these PTFs adversely affect our systems, and do we really need to install these PTFs? Across the industry, spanning processors and OS flavors, there's a wide amount of pre- versus post-patch chatter. Some are seeing no problem at all. The Intel world is rife with tests and examples of the good, bad, and really ugly. Some see pretty awful hits on operating system and application performance.
The good news is that many IBM i customers have horsepower to spare. Workloads that ran fine on a Model 810 fifteen years ago have been upgraded to POWER8 systems. Often, the workload increase doesn't come close to the capacity increase on these systems. For systems that have plenty of capacity, it's probably unlikely they'll see a major hit. However, I'd still recommend testing if at all possible. For systems that do not have much capacity left, it's far more likely to notice performance degradation. For instance, if a system is idling all day at 10 percent or so CPU utilization, then even the worst performance hit is probably not noticeable. If a system is at 80 percent CPU utilization, then it has far less capacity to give if there are adverse effects. Furthermore, adverse effects may certainly depend on the types of workload or applications running on those systems.
Should you patch? Well, AV-TEST Institute announced on February 1 that it identified 139 strains of malware in the wild that aim to target the speculative execution vulnerabilities. In other words, the bad guys are waking up.
On January 26, IBM added the first round of PTFs to the latest HIPER and Security group PTF packages for IBM i. So, unless you stop patching completely, it's pretty inevitable that these PTFs will end up on your systems. I would think it's best to prepare, test if at all possible, and update in a controlled setting rather than load HIPERs in two months and have an unexpected problem. The likelihood or severity of performance degradation is unknown, but the potential is certainly there.
What's interesting is that IBM's update to the PSIRT blog as of January 31 states the following:
Consistent with previously announced end of service, IBM will not be releasing patches for POWER4, POWER5, POWER6 systems and recommends migrating to a more current generation of POWER technology. We are committed to helping our clients address these vulnerabilities and on February 6, we will introduce an offer for pre-POWER7 clients to upgrade their security profile and protect against Spectre and Meltdown through the purchase of POWER8 or POWER9 systems and available migration services, security support, and financing offers.
Essentially, IBM stated they'd be announcing something on February 6 to entice people to upgrade to POWER 8 and POWER 9 systems. Unfortunately, there has been nothing published as of yet in terms of promotions. There is still a lot of older iron in the wild that could certainly benefit from a boost in performance and features by migrating to newer POWER machines. Mitigating this vulnerability may be a major factor in getting those customers to move to new hardware. If patching the biggest security vulnerability in computing history isn't enough of a reason to upgrade, then I don't know what is.