Spectre/Meltdown Information

A new publicly disclosed class of vulnerabilities have been found which are commonly being referred to as Spectre and Meltdown. They affect most modern computers’ processors, such as Intel, AMD, and ARM. These flaws allow malicious software to potentially access and steal data while it is being processed in memory.

This vulnerability is unrelated to Hazelcast. However, we do wish to help answer questions that our customers may have.

Below you will find some helpful information and links. If you have any questions related to how this vulnerability may impact your Hazelcast installation, please open a support ticket.

How can you protect yourself?

Major OS vendors have released patches which help reduce the opportunity for exploit. Hazelcast recommends that you:

  1. Discuss the topic with your operating system and hardware vendors
  2. Test the recommended changes in a non-production environment
  3. Deploy those changes to production as you would any other system change

Be aware that these patches do not fully mitigate the risk as some of these vulnerabilities will require hardware upgrade/replacement. Thus, it remains critical that good security practices are followed to avoid the introduction of malicious software into your system in the first place.

Vendor Information

For a full vendor list, see: https://spectreattack.com/#faq-advisory

More Information

What impact will this have on Hazelcast?

As reported, the security patch causes system performance slow down. Preliminary reports from vendors confirm increased CPU utilization. Third-parties running in various environments and differing software (not Hazelcast) are reporting actual impacts ranging anywhere from single digits up to 30+%.

The exact impact that you will experience while using Hazelcast will vary depending upon the hardware and operating system you are running, and whether or not you are using a virtualized environment.

It is important to understand that the effect of this fix is diminished CPU capacity. In practice, this means you will either experience reduced CPU headroom or if you were previously running close to capacity, you could find that you are now under-resourced. The latter scenario has the potential to cause observable service degradation.

We, therefore, recommend you exercise caution in patching production systems. We recommend that you first deploy and measure the impact of these changes in a non-production environment before promoting them to production. If you are unable to do so, you may wish to preemptively increase your total CPU capacity. This could be done by expanding your total cluster size or increasing the CPU available to virtualized instances. This would then allow you time to assess the specific impact upon your system and workload.

We are working on comprehensive tests and will be able to give more detailed guidance in the near future.

Update: Thursday, January 25, 2018

In our independent tests, we have confirmed that vendor fixes to Meltdown/Spectre result in performance degradations that are in line with the 10-30% that have been reported across the computer industry. The exact measure of impact will be dependent upon the specifics of your deployment environment and your usage patterns. Therefore, our previous recommendations stand:

It’s important to understand that the effect of this fix is reduced CPU capacity. In practice, this means you will either experience reduced CPU headroom or if you were previously running close to capacity, you could find that you are now under-resourced. The latter scenario has the potential to cause observable service degradation.

We, therefore, recommend you exercise caution in patching production systems. We recommend that you first deploy and measure the impact of these changes in a non-production environment before promoting them to production. If you are unable to do so, you may wish to preemptively increase your total CPU capacity. This could be done by expanding your total cluster size or increasing the CPU available to virtualized instances. This would then allow you time to assess the specific impact upon your system and workload.