As you may be aware from recent news exposure, it has been discovered that there are several vulnerabilities in a range of Intel CPU’s (which we use) that render them at risk of leaking data or memory that could be obtained by attackers. This blog post aims to provide more information about how this affects this*, and how we plan to tackle and resolve this situation.
Essentially there are 3 vulnerabilities here; CVE-2017-5753 (Spectre Variant #1), CVE-2017-5715 (Spectre Variant #2) and CVE-2017-5754 (Meltdown). These vulnerabilities potentially allow for an attacker to read memory they otherwise should not be able to access. This memory could, as an extreme example, contain sensitive information about other accounts or processes running on the server which in turn could lead to a compromise. All of these vulnerabilities are classed as “severe” and are something that should be addressed as soon as possible.
To apply mitigations to these vulnerabilities will require several different courses of action. The last vulnerability (dubbed Meltdown) is something that we can apply a complete workaround for at the OS (Kernel) level. This involves us installing a new Kernel and rebooting a server to ensure that the new Kernel is fully applied and taking effect. We are in the process of doing this today, so if you notice that the server you are hosted on is offline for a few minutes, this is why – and we sincerely apologise for the inconvenience that this may cause. Unfortunately, the former 2 vulnerabilities require a combination of both OS (kernel) level patching and a microcode update to the Intel processor(s) that we use in our servers. In this instance a microcode update is what you may know as a “BIOS Update” and will involve taking a server offline and flashing new code to the BIOS on a servers motherboard. Once this new code has been flashed, the server can then be booted and a combination of both this new microcode and the new OS update will help mitigiate against the remaining 2 vulnerabilities.
One very significant drawback of these mitigations is that they are just that – mitigations, and not patches or fixes. These updates effectively work around the vulnerabilities rather than resolving them outright. As a result of this, performance can and likely will be affected due to the extra work that the CPU now has to do. What does this mean for you? As an extreme example, it may mean that your website becomes slower after these updates. Some benchmarks and information have shown that after updates to mitigate these vulnerabilities, performance can drop as much as 30%. This is an extreme example and is not necessarily something that you may experience. It all depends on your workload; what your website is doing, how busy it is, and many other factors. We expect most of our customers to not notice any performance difference at all, and as we do not overload our servers unlike other providers, we have ample resources remaining to compensate for this loss of processing power.
Going forward here is what you can expect in terms of ThisWebHost combatting these vulnerabilities;
- We will be applying the Kernel updates today and immediately rebooting servers. This helps us immediately mitigate the “Meltdown” vulnerability while preparing for the upcoming microcode updates. You may experience some downtime of between 10-15 minutes while servers are rebooted. We apologise for any inconvenience that this may cause.
- We are currently awaiting the appropriate BIOS update(s) from our motherboard vendors. Unfortunately we have no accurate ETA on when these will be provided to us, but we expect it to be over the course of the next 1-2 weeks. Once these updates have been released, we will schedule an appropriate time and date for these BIOS updates to be manually carried out by remote on-site datacentre staff. We will then e-mail all affected customers to provide them with a time and date that the server they are hosted on will be taken offline and updated. We expect these updates to take around 1-2 hours. Once the updates have been applied, the servers will be booted back up and we should then have full mitigation against all 3 published vulnerabilities.
We know that downtime is a cause for concern, and we are deeply sorry for being forced to bring servers offline. Due to the severe nature of these vulnerabilities, we are left with no choice but to do this as soon as we are able to in order to protect our customers and our network.
If you have any questions, comments or concerns regarding this blog post then please do not hesitate to leave a comment below – or alternatively you may contact us via support ticket.