The recently announced exploits Meltdown and Spectre have far-reaching consequences that are difficult to even estimate at this point. While the blast radius of Meltdown is confined to Intel processors, the Spectre exploit impacts almost every major manufacturer of CPUs. Fortunately, Spectre is a much harder exploit to pull off, so I’d like to focus on Meltdown for the moment. I certainly won’t try and rehash all the details of Meltdown, but here is a brief summary along with my recommendations for action.
Meltdown is an exploit that takes advantage of how modern Intel CPUs execute instructions out-of-order in an attempt to be more efficient and performant. Exploiting this vulnerability gives the attacker access to most, if not all of the privileged data stored in memory. This exploit operates at the hardware level and therefore applies to all operating systems, including Windows, Linux, and macOS. It also enables a guest virtual machine to break into hypervisor memory and containers to break into host memory. As such, this exploit affects not only desktop and server operating systems but also resources hosted in the cloud.
In light of the exploits, the major OS vendors have created a safeguard that mitigates the vulnerability. The safeguard has been applied successfully to most of the major cloud public cloud vendors, including AWS, Azure, and GCP. The patching did require a reboot of the hypervisor, and so some organizations may have seen unexpected downtime during this period of maintenance. For those affected by the required maintenance, I recommend looking at your current cloud deployment and verifying that it is configured in a highly available manner, in line with the best practices of the public cloud vendor. For instance, Azure VMs should be placed in availability sets and EC2 instances should be located in two or more availability zones.
In addition to revisiting your cloud architecture, you should also take care to patch your existing virtual machines with the updates available from your vendor. Both Linux and Windows patches are available. Tread lightly though, as the patches for Windows have been running into some problems with anti-virus software. If you deploy cloud VMs from an image, make sure that the image has also been patched or updated by the vendor.
For your on-premises machines, it is time to roll out this patch on your servers and desktops. Again, follow best practices and test the patch on non-production machines first. Any templates you use in your virtualization environment or for imaging should also be patched as well. It is worth noting that many vendors use Linux as the basis for their appliance deployments. Although nothing has been reported yet, it is possible that some firewalls, load balancers, and other network equipment are also vulnerable to the Meltdown exploit. I recommend checking with your appliance vendors as well.
Finally, the fix put in place to mitigate Meltdown – known as KAISER – has potentially serious implications for the performance of your applications. The fix effectively forces the CPU to switch between user and kernel mode far more often than before, and performance hits of up to 30% have been shown in the wild. Once you have patched your systems, I recommend keeping a close eye on performance metrics, especially on database servers, to see if you need to increase hardware resources to compensate.
Considering the recent Intel CPU vulnerability, Anexinet is conducting High Availability health assessments for all Azure and AWS customers. To schedule your assessment, please click here.
Have additional questions about how this vulnerability may affect you?
Contact us directly by email at [email protected] or by phone at (610) 595-4112.
Related Content
Share on 
Ned Bellavance
Director, Cloud Solutions and Microsoft MVP: Cloud (Azure/Azure Stack) & DC Mgmt
Ned Bellavance is an IT professional with over 15 years of experience in the industry. Starting as a humble helpdesk operator, Ned has worked up through the ranks of systems administration and infrastructure architecture, and in the process developed an expansive understanding of IT infrastructure and the applications it supports. Currently, Ned works as the Director of Cloud Solutions for Anexinet in the Philadelphia metropolitan area, specializing in Enterprise Architecture both on-premise and in the cloud. Ned holds a number of industry certifications from Microsoft, VMware, Citrix, and Cisco. He also has a B.S. in Computer Science and an MBA with an Information Technology concentration.
Follow:
Let’s get the conversation started
Reach out now to begin your digital transformation
+ 16,659
ZOOM MEETINGS
+ 9,789
HAPPY CLIENTS
+ 5,075
FINISHED PROJECTS
+ 133,967,432
LINES OF CODE
© 2000 - 2021 Anexinet Corp., All rights reserved | Privacy Policy | Cookie Policy
This website uses cookies
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL cookies.
Manage consent
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
| Cookie | Duration | Description |
|---|---|---|
| cookielawinfo-checbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.