By exception, this blogpost will be in English to inform all our clients.
News has come out about highly critical vulnerabilities in all Intel CPU’s. The vulnerabilities have been codenamed Spectre & Meltdown.
The publicly available information can be found here: spectreattack.com
The short version is that a highly sensitive vulnerability has been found in nearly all CPU’s that could allow;
- Users within a server to read memory from other processes, allowing the theft of credentials or sensitive information within a single server;
- In virtualized environments, it could allow one virtual machine to access memory space of another virtual machine;
Both are deemed extremely dangerous and critical. The Nucleus team is currently applying all necessary patches to our virtualized environments (VMware & KVM). This should come at no interruption to your running servers.
The patch, however, includes a performance penalty: additional software logic is introduced to separate kernel vs. user-space memory in order to combat this vulnerability. Initial benchmarks include a performance penalty ranging between 5% and 30%, depending on the workload.
This essentially means your server – and our hardware – could take a drastic performance hit. We are left with no choice, as data integrity and security is more important than performance, in our view. We do however look at all the options to keep the performance penalty to a minimum. There’s a chance you might not even notice, as it depends heavily on the workload of the machine.
This will affect all Linux, Windows, BSD and other operating systems.
We are currently focussing on patching our hypervisors and cloud environments, additional patches will have to be applied in each individual server (every virtual machine & dedicated server), we will communicate our action plan regarding those patches as soon as possible.
If you have a managed server at Nucleus, we will take care of all patches and security handling.
If you have an unmanaged server, that you control, we urge you to investigate the vulnerabilities yourself and apply all necessary patches as soon as possible. You will need to take action!
We will keep this blogpost updated as more news and information comes out.
Update Friday 05/01/2017
In the last 24 hours, the following actions have been performed:
- All virtualized environments have had their patches applied, all hypervisors are secured
- We are in the process of contacting our managed Windows clients for a customized plan of action
- The same communication has started for our managed Linux clients, but it’s more complicated there: our initial tests confirm that some workloads have a drastic performance hit, requiring us to wheigh in the security vs. performance debate. For those workloads that suffer the most, a custom plan will be created per client to wheigh the pro’s & con’s. In most cases, the patch can be applied with limited impact on the performance of the server
Our next 24 hours mostly look like this:
- Continue patching those individual servers that pose the highest risk
- Cooperate with our unmanaged clients that require assistance in getting their systems patched
We want to thank all our clients for their patience and understanding, it’s been a busy 24 hours and the message of “your system might be 30% slower” isn’t a fun one to bring, but we are working with everyone to make this situation go as smooth as possible, with as little as possible interruptions.