As a SQL Server DBA, what do I need to know about the meltdown/spectre vulnerabilities?

https://dba.stackexchange.com/questions/194751

10-10-2020
|

Question

If you didn't hear, a set of related vulnerabilities were recently discovered that impact virtually all processors sold over the last decade. You can find more technical detail about the meltdown/spectre vulnerabilities on InfoSec.SE.

As a SQL Server DBA, what do I need to understand about this?

If we don't share our SQL Servers (or our vm farms) with other companies, is this still a risk?

Will this be simply an OS patch? Or are there patches/hotfixes available for SQL Server that are required to address this vulnerability? Which SQL Server versions will be patched?

Some articles are predicting a 5-30% performance impact, especially in highly virtualized environments. Is there any way to predict what the performance impact on my SQL Servers might be?

Solution

Here is Microsoft's Security Advisory on the vulnerabilities, which have been assigned three "CVE" numbers:

CVE-2017-5715 - Branch target injection ("Spectre")
CVE-2017-5753 - Bounds check bypass ("Spectre")
CVE-2017-5754 - Rogue data cache load ("Meltdown")

The Microsoft KB for how these vulnerabilities impact SQL server is being actively updated as new information becomes available:

KB 4073225: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities.

Microsoft's exact recommendation will depend on your configuration and business scenario, please refer to the KB for details. If you are hosting on Azure, for example, no action is required (the environment is already patched). If, however, you are hosting applications in shared virtual or physical environments with potentially untrusted code, other mitigations may be required.

SQL patches are currently available for the following impacted SQL versions:

SQL Server 2008: 2008 SP4 GDR
SQL Server 2008R2: 2008R2 SP3 GDR
SQL Server 2012: 2012 SP3 CU, 2012 SP3 GDR, 2012 SP4 GDR
SQL Server 2014: 2014 SP2 GDR, 2014 SP2 CU
SQL Server 2016: 2016 CU7 SP1, 2016 GRD SP1, 2016 CU, 2016 GDR, CU7 for 2016 SP1
SQL Server 2017: 2017 GRD, 2017 CU3 RTM, CU3 for 2017

These SQL server patches protect against CVE 2017-5753 (Spectre: Bounds check bypass).

To protect against CVE 2017-5754 (Meltdown: Rogue data cache load), you can enable Kernel Virtual Address Shadowing (KVAS) on Windows (via registry change) or Linux Kernel Page Table Isolation (KPTI) on Linux (via a patch from your Linux distributor).

To protect against CVE 2017-5715 (Spectre: Branch target injection), you can enable Branch Target Injection mitigation hardware support (IBC) via registry change plus a firmware update from your hardware manufacturer.

Note that KVAS, KPTI and IBC may not be required for your environment, and these are the changes with the most significant performance impact (emphasis mine):

Microsoft advises all customers to install updated versions of SQL Server and Windows. This should have negligible to minimal performance impact to existing applications based on Microsoft testing of SQL workloads, however, we recommend that you validate before deploying to a production environment.

Microsoft has measured the impact of Kernel Virtual Address Shadowing (KVAS), Kernel Page Table Indirection (KPTI) and Branch Target Injection Mitigation (IBC) on various SQL workloads in various environments and found some workloads with significant degradation. We recommend that you validate the performance impact of enabling these features before deploying into a production environment. If the performance impact of enabling these features is too high for an existing application, customers can consider whether isolating SQL Server from untrusted code running on the same machine is a better mitigation for their application.

Microsoft System Center Configuration Manager (SCCM) specific guidance: Additional guidance to mitigate speculative execution side channel vulnerabilities as of Jan 08 2018.