In December 2017, security researchers discovered security vulnerabilities stemming from the ‘speculative execution’ process utilized by nearly all processors to improve performance.
What are Spectre & Meltdown?
There are three different variants of this vulnerability that, if exploited, can result in attackers gaining access to data previously considered protected. Two of the variants are grouped together as “Spectre” and the third has been dubbed “Meltdown.”
All the variants of this underlying vulnerability involve a malicious program called ‘speculative execution and caching’ that can gain access to data by exploiting two important techniques used to speed up computer chips. In early January 2018, researchers published a Proof of Concept of the vulnerabilities.
How do Spectre and Meltdown wreak havoc?
Meltdown allows attackers to elevate privileges on unpatched systems. This means attackers who have a toehold in your network can elevate themselves into a privileged user account on a system. From there, they can install backdoor and rootkits or take other anti-forensic measures.
For example, they could use Meltdown to view data owned by other users or on other virtual servers hosted on the same hardware, which is potentially disastrous for cloud computing hosts.
Both these flaws are fundamental to the hardware platforms running beneath the applications we use every day. Even code that’s previously been secured is vulnerable, because the underlying security assumptions—which are the same ones built into all computer programming—are affected.
Any organization using hardware with chips from Intel and AMD is vulnerable to these attacks.
Precautions to take against Spectre & Meltdown vulnerabilities
Solid monitoring practices, including the following, can help uncover vulnerabilities and suspicious activities:
- Regular network monitoring
- Up-to-date anti-virus protection
- Regular security patches
Most organizations have ERP applications that run confidential financial and HR information transactions across internal and external networks. So, it’s highly important for enterprises to also have these additional practices in place to help prevent such attacks:
- Consider different protection requirements. Reconsider your architecture and examine how effective your security is if an attacker (or insider) with unprivileged access can elevate to a privileged account. In particular, worry about those systems that give a large number of semi-trusted insiders shell access to a system.
- Review patching procedures. Meltdown patches should be patched in a test environment first. Antivirus software has reportedly caused performance problems with the Windows patches for Spectre and Meltdown. This shows a definite example where “throw caution to the wind and patch now” is not advisable. Think about your test cycles for patches and determine how long is long enough to test (both for performance and stability) in your test environment before pushing patches to production.
- Examine older hardware and operating systems. There are a number of older operating systems that may never receive patches. But something as trivial as malvertising can attack an employee's browser to steal session cookies or other credentials, and lead to greater network exploitation. You need to re-evaluate whether leaving those unpatchable systems in place is wise. You have new information today that likely wasn’t available when you completed your last risk assessment. Make sure your hardware upgrade policies still make sense.
Solutions to Spectre & Meltdown vulnerabilities: Security Patches
The fundamental vulnerabilities exposed by Meltdown and Spectre, however, exist at the hardware level and cannot be fully patched. Most vendors are releasing software patches that offer workarounds to the problems.
Early media reports speculated a performance hit as high as 30 percent with the patches. While some edge cases may experience a slowdown that extreme, according to benchmarks by Phoronix, most users will see a performance hit in the 5 to 10 percent range.
Here we provide various solutions by software to combat these vulnerabilities.
Spectre & Meltdown Windows Patch
Microsoft released updates in early January for Windows OS 7 and above. To help prevent attacks on Windows software: 1
- Turn on automatic updates.
- Update anti-virus software and ensure it is fully up to date before applying the Windows security update.
- Ensure you’ve installed the January 2018 Windows OS security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you, but you should still confirm that they’re installed.
- Install available hardware (firmware) updates from your device manufacturer. Check with the device manufacturer to download and install device specific hardware update.
Spectre & Meltdown Linux Patch
No Meltdown fix is currently available for 32bit (x86). Moving to a 64-bit kernel is the only currently recommended mitigation.
Oracle Enterprise Linux
The below chart shows a schedule for patches for Oracle Linux:2
Redhat Enterprise Linux
For a list of available updates please refer to below link. https://access.redhat.com/security/vulnerabilities/speculativeexecution
Prioritize patching your hypervisors, especially in shared tenant situations where the other guests might be untrustworthy.
Spectre & Meltdown Oracle Critical Patch
The chart below shows the schedule for Oracle VM patch updates:
Based on currently available information, it does not appear that Oracle E-Business Suite requires application-specific patches to address the Spectre and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754).3
Oracle recommends customers keep up with security patches for relevant operating systems, virtualization technologies, and hardware when updated security patches are released by their respective vendors or maintainers. Customers should track the related updates and patches for:
- OS and if required, underlying hardware firmware
- VM virtualization infrastructure
- Desktop browsers
They should follow the update and patching instructions as directed by the vendor/maintainer of those components.
It appears there is no direct database patch, but Oracle strongly recommends January 2018 CPU. Oracle has done some benchmarking and determines that the impact on performance is from 3-5% from such remediation.4
Other Oracle Products
For the status of other Oracle products with respect to the publicly-disclosed Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities review the Addendum to the JAN 2018 CPU.
Mitigate your risk
These vulnerabilities exist on nearly every computer in use today, and because of the nature of the flaw, will continue to exist until the chip manufacturers resolve them. That being said, software patches, bios and firmware updates are likely to mitigate the risks. It’s important to test and apply patches to your systems to keep them as secure as possible.
- Oracle Linux Patch Availability Document for CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 (Doc ID 2348448.1)
- CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 Advisory for Oracle E-Business Suite (Spectre and Meltdown Vulnerabilities) (Doc ID 2354601.1) / Oracle VM Patch Availability Document for CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 (Doc ID 2348460.1) / Addendum to the January 2018 CPU Advisory for Spectre and Meltdown (Doc ID 2347948.1)
- Performance impact of mitigation measures against CVE-2017-5754 and CVE-2017-5753 on Oracle Database, Oracle Exadata, and Oracle Zero Data Loss Recovery Appliance (Doc ID 2357480.1)