Sometimes stories that explode in the media fade just as quickly – tempests in a teapot. But this week’s revelation about two critical flaws in nearly every processor made in the last 20 years is most assuredly not a tempest in a teapot. The tech community will be assessing the implications of these vulnerabilities, dubbed Meltdown and Spectre, for the foreseeable future. And this is especially true for the cloud community.
Most modern CPU, including those from Intel, AMD, and ARM, increase performance through a technique called “speculative execution.” Flaws in processor hardware allow Meltdown and Spectre to take advantage of this technique to access privileged memory — including kernel memory — from a less-privileged user process. There are any number of excellent technical write-ups, including https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/, with more detail. In short, Meltdown breaks the isolation between the application and the operating system, while Spectre breaks the isolation between applications. Both hardware flaws allow malicious programs to steal data that is being processed in computer memory, including sensitive or secret information such as credentials, cryptographic keys, data being processed by any running program, or opened files.
Of the two vulnerabilities, Meltdown is the more immediate threat with proof-of-concept exploits already available. However, Spectre is much deeper and harder to mitigate, potentially leading to ongoing, subtle exploits for years to come. Worse yet, these hardware flaws can be exploited on any modern operating system including Windows, Linux, macOS, containerization solutions such as Docker, and even some classes of hypervisors.
Much of the press has concentrated on the impact to personal and mobile devices – PCs, tablets, smartphones – but cloud environments, whose very foundation is based on resource isolation, are especially impacted. Since the cloud industry is centered in the Puget Sound, we might say “Seattle, we have a problem.”
Because of the critical nature of these vulnerabilities, cloud providers such as Amazon, Microsoft, and Google have already updated their systems. While most mitigation efforts revolve around operating system patches, both AWS and Azure have addressed the problem at the hypervisor level. Both CSPs contend that performance has not been meaningfully impacted, which, if true, is in welcome contrast to initial estimates of performance hits of up to 30%. More information can be found at https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/ and https://aws.amazon.com/security/security-bulletins/AWS-2018-013/.
Even with hypervisor-centric fixes, it is still critical to update the operating systems running on instances, and thereby improve these operating systems’ abilities to isolate software running within the same instance. All the major CSPs have already installed patches so that all new instances will have the latest version, but existing instances must still be updated. Please note that all AWS instances running Lambda functions have already been patched and no action is required.
If you are a 2nd Watch Managed Cloud customer whose service plan includes patch management, please contact your Technical Account Manager to discuss patch availability and scheduling. These patches are considered high priority. If you are not currently in a service tier in which 2nd Watch manages patching on your behalf, it is urgent that you patch all your operating systems as soon as possible. If you need assistance in doing so, or if you would like to learn more about how we can proactively manage these issues for you, please contact us.
-John Lawler, Senior Product Manager