On Jan 3, 2018, Google’s Project Zero team along with several other university researchers identified several security issues with speculative execution, an optimization technique used in microprocessors to improve performance.
Couchbase is aware of the recently disclosed class of processor/OS vulnerabilities such as Meltdown and Spectre. These affect modern processors and operating systems including Intel, AMD, and ARM. This article explains how these kinds of vulnerabilities can affect any user-space application such as Couchbase.
Vulnerability Assessment
Two variants of vulnerabilities associated with speculative execution have been disclosed. The vulnerabilities allow attackers to exfiltrate confidential information from the kernel or from other processes via a side-channel.
Meltdown exploits side-effects of out-of-order execution to break the isolation between user applications and the operating system, allowing an application to access the memory of another application, as well as system memory.
Spectre exploits vulnerabilities in speculative execution to break the isolation between applications, allowing one application to access memory associated with another, which can then be leaked through a side channel.
Successful attacks run malicious processes on the same host and processor as their target victim. As such, where applicable, policing access to machines and physical machine security can be effective temporary mitigation against these attacks.
To fully mitigate these vulnerabilities, the operating system must be patched with recent kernel fixes. It also may be necessary to enable these patches and update the processor firmware. To ensure protection, Couchbase strongly recommends that customers consult their hardware and OS vendors for the specific steps to take.
Securing the Stack
As with other applications running in user-space, Couchbase and other database technologies may get affected by these vulnerabilities.
The following table outlines what customers should do, depending on the environment in which Couchbase is running. Couchbase recommends customers deploy fixes using normal procedures to validate new binaries before deploying to production environments.
Scenario Description | Couchbase Recommendation(s) |
Couchbase is run on bare metal (no virtual machines). And no other untrusted application logic (application tier) is run on the same machine |
(see below for references) |
Couchbase is run in a virtual machine in a public hosting environment | On each of the supported cloud providers (AWS, Azure & GCP) we are in the process of updating pre-configured images to include the latest OS patched version.
Customers not using those pre-configured images should refer to cloud providers for guidance on applying OS patches. |
Couchbase is run in a virtual machine in a private hosting environment |
Additionally, we recommend isolating Couchbase Server on dedicated physical hardware. (see below for references) |
Couchbase is run in a physical or virtual machine. NOT isolated from other application logic running on the same machine |
We recommend restricting the use of or blocking untrusted code from executing on the machine. (see below for references) |
Performance Advisory
Couchbase continues to evaluate performance on the patched binaries. The Meltdown OS kernel patch prevents leaking OS kernel memory. However, it may also change the way it interacts with the processor, degrading performance.
The degradation is highly workload-dependent (consistent with the early reports from Intel), and Couchbase recommends testing in your environment before production deployment. This may also involve moving to a more powerful CPU machine to take the extra load if needed.
References
- AWS – https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
- Microsoft Windows – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
- MAC OS – https://support.apple.com/en-us/HT208394
- Red Hat Enterprise Linux – https://access.redhat.com/security/vulnerabilities/speculativeexecution
- Ubuntu Linux – https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
- Debian Linux – https://security-tracker.debian.org/tracker/CVE-2017-5754
- SuSE Linux – https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities
Contact us
If you need to talk to us about this issue, contact us at support@couchbase.com.