A new publicly disclosed class of vulnerabilities have been found which are commonly being referred to as Spectre and Meltdown. They affect most modern computers’ processors, such as Intel, AMD, and ARM. These flaws allow malicious software to potentially access and steal data while it is being processed in memory.
This vulnerability is unrelated to Hazelcast. However, we do wish to help answer questions that our customers may have.
Below you will find some helpful information and links. If you have any questions related to how this vulnerability may impact your Hazelcast installation, please open a support ticket.
How can you protect yourself?
Major OS vendors have released patches which help reduce the opportunity for exploit. Hazelcast recommends that you:
- Discuss the topic with your operating system and hardware vendors
- Test the recommended changes in a non-production environment
- Deploy those changes to production as you would any other system change
Be aware that these patches do not fully mitigate the risk as some of these vulnerabilities will require hardware upgrade/replacement. Thus, it remains critical that good security practices are followed to avoid the introduction of malicious software into your system in the first place.
- Apple: https://support.apple.com/en-us/HT208394
- AWS: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
- Debian: https://security-tracker.debian.org/tracker/CVE-2017-5754
- Red Hat: https://access.redhat.com/security/vulnerabilities/speculativeexecution
- SUSE: https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
- Ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
- Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
For a full vendor list, see: https://spectreattack.com/#faq-advisory
- Google’s Project Zero Blog
- Academic Papers
What impact will this have on Hazelcast?
As reported, the security patch causes system performance slow down. Preliminary reports from vendors confirm increased CPU utilization. Third-parties running in various environments and differing software (not Hazelcast) are reporting actual impacts ranging anywhere from single digits up to 30+%.
The exact impact that you will experience while using Hazelcast will vary depending upon the hardware and operating system you are running, and whether or not you are using a virtualized environment.
It is important to understand that the effect of this fix is diminished CPU capacity. In practice, this means you will either experience reduced CPU headroom or if you were previously running close to capacity, you could find that you are now under-resourced. The latter scenario has the potential to cause observable service degradation.
We, therefore, recommend you exercise caution in patching production systems. We recommend that you first deploy and measure the impact of these changes in a non-production environment before promoting them to production. If you are unable to do so, you may wish to preemptively increase your total CPU capacity. This could be done by expanding your total cluster size or increasing the CPU available to virtualized instances. This would then allow you time to assess the specific impact upon your system and workload.
We are working on comprehensive tests and will be able to give more detailed guidance in the near future.