1

Is it possible to not install new programs on a server and sidestep any Meltdown/Spectre vulnerabilities because it is only a newly identified issue.

I have an SLES server that runs a fixed database load. It's an Intel Xeon on AWS (hvm) VPC in a private subnet. As I look back, no new program binaries nor processes have been added to this server since it was launched over a year ago. But we have applied recommended OS/DBMS patches regularly (which obviously brings in new code)

From what I have read so far, database type work loads will take a huge performance hit from the fixes. It is already running at about 60-80% cpu during peak hours, and growing, so I do expect to upgrade to a bigger server in 2-3 months time.

Under this, does it make sense to skip the fix? If yes, how far this be stretched?

I am not very familiar with kernels and VMs.

Thanks a lot.

Dinesh
  • 113
  • 2
  • i would at least try it and see if you can live with the perf hit before putting off critical updates. – dandavis Jan 08 '18 at 05:43
  • That makes excellent sense and we are trying that out in a sandbox, although simulating life size workload can be non-trivial. My boxplots so far show no statistical difference - maybe/couldbe because my workload is memory bound. Meantime, I wanted to have better understanding beyond just fear. – Dinesh Jan 08 '18 at 20:03

1 Answers1

4

No.

Meltdown and Spectre make any vulnerabilities ten times worse. If an existing program (which you'd stop updating if you tried this) had a known vulnerability which enabled any sort of remote code execution (even as nobody) then an attacker could use Meltdown to escalate to root permissions. Patch your systems.

Community
  • 1
Allison
  • 3,975
  • 2
  • 13
  • 19