Wednesday, January 10, 2018

Security vulnerability – Meltdown and Spectre

Year 2018 started a bit crazy when it comes to computer security. Security researches published a huge security vulnerabilities related to CPUs – computer’s microprocessors. 

If you remember year 2015 and a bug called Heartbleed that was almost nothing comparing to these two. The two are considered as "catastrophic" by security analysts. In short the Meltdown allows a rogue process to read any kernel memory, also in case the process is not authorized to do so. The Spectre is abusing a branch prediction of microprocessor’s cache that affects microprocessors with speculative execution. This involves cashed data which may be read/modified by tricking the accept requests.

One of the issues related to these vulnerabilities is that the Spectre is not easy to be fixed. Also while employing the fixes it is causing CPU’s performance degradation.

The vulnerabilities are affecting wide variety of devices - almost every device using microprocessors especially made by Intel, ARM, possibly also AMD. As SAP systems are running on these processors as well the SAP is paying an attention to the vulnerabilities. There are special SAP Notes (see below) prepared and being updated that advise customers on what to do.

More information:
2585591 - How to protect against speculative execution vulnerabilities on Windows?
2586312 - Linux: How to protect against speculative execution vulnerabilities?

No comments: