Meltdown/Spectre

An Update on Meltdown/Spectre

You may have heard of the recently reported issues related to performance enhancing routines built into most modern computer processors. These two vulnerabilities identified by researchers have been dubbed Meltdown and Spectre.

These issues expose a means in nearly all modern processors for a would-be attacker to obtain data once thought to be immune from observation or hijacking. Hardware and software manufacturers have worked to provide protective counter measures to prevent these vulnerabilities from being exploited.

We understand this is of major concern and are keeping abreast of the continued discussions related to the topic to ensure your systems managed by Breakthrough are safe. Despite there being no known real world examples of attackers taking advantage of these vulnerabilities, we are monitoring industry recommendations and acting accordingly.

The applications we develop for our customers are hosted in a variety of ways, ranging from hosting that we help manage at major cloud providers to third-party hosts that focus on specific technologies to customers that self-host.

The majority of our customers' applications are hosted on Amazon Web Services (AWS). In this case, the application is hosted on virtual machines that in turn are hosted on physical servers. Unlike personal computers, these servers are protected by various layers preventing a would-be attacker from gaining access in order to attempt to exploit the Meltdown and Spectre vulnerabilities. AWS operates the physical servers in this model and has patched those systems to protect the layer they're responsible for. That layer is the most immediate need and it has been accommodated. Breakthrough will work to protect against these issues within the server itself by patching the operating system as prescribed by industry experts.

These patches may introduce minimal to recognizable performance degradation of the servers hosting your application. Breakthrough is closely monitoring this possibility and working with our cloud vendors to realize the amount of impact. There have been improvements to the mitigations as time progresses to help minimize this impact. Despite this, we are conducting internal testing to see how, specifically, our customers applications may be affected and taking action accordingly. Due to the difficulty of exploiting these vulnerabilities and the limited gain an attack could yield in your server scenario, we do not want to rush the process in order to best serve our customers with a balance of security and performance considerations. We'll work with you individually to coordinate patching and/or performance analysis. For more details regarding what steps AWS has already taken and what their recommendations are, see https://aws.amazon.com/security/security-bulletins/AWS-2018-013.

In some cases, our customers' applications are hosted by third parties that provide hosting solutions focused on specific technologies or with specific regulatory requirements. These providers' solutions may in turn be hosted on top of major cloud platforms. For example, some of the Drupal-based applications that we build are hosted by Pantheon and Acquia. In these cases, the third parties are typically responsible for addressing and mitigating vulnerabilities such as Meltdown and Spectre. Depending on the host, these mitigations are in various stages of completion. Pantheon has indicated that they have completed infrastructure patching and are evaluating the performance impact (http://pantheon.statuspage.io/incidents/x9dmhz368xfz). Acquia appears to have begun deploying the necessary patches and will be evaluating the performance impact (https://docs.acquia.com/security-notice/security-update-regarding-meltdown-and-spectre-vulnerabilities). Edge Hosting has various suggestions and action items depending on the type of hosting arrangement they have with their customers (https://www.edgehosting.com/blog/2018/01/update-on-meltdown-spectre).

For our customers that self-host their applications, and for your personal systems and mobile devices, we recommend applying patches as vendors make them available.

Please contact your Project Manager or email us at info@breaktech.com should you have any questions about this.