Re: Meltdown and spectre

From: Tim Hall <tim_at_oracle-base.com>
Date: Fri, 5 Jan 2018 17:18:21 +0000
Message-ID: <CAP=5zEjCzC8cxnrcEPT8YPAnUJju4=aFLY+mf_kn8XX+N+WUYA_at_mail.gmail.com>

Does not compute.

This is a problem with Intel chips. It's not a problem with Linux. The OS vendors are putting in patches to fix/mitigate issues so you don't have to scrap your Intel servers and replace them with servers with AMD chips.

Do I need to patch my servers? So you are never going to patch your kernel again? Ever? If you ever do, you will get these fixes. Good luck with never patching stuff again...

Cheers

Tim...

On Fri, Jan 5, 2018 at 5:06 PM, Reen, Elizabeth <dmarc-noreply_at_freelists.org
> wrote:

> Since all of my servers are in house behind numerous
> firewalls, do I need to patch everything? The performance hit is going to
> hurt. Do I need to do that for dev and testing servers which run with
> redacted data? I could need to double the amount of servers I own. Yes
> they are cheap, but it adds up after a while. What about licenses? Will I
> need to up them because I need more iron to do the same work?
>
>
>
> I agree that you can’t stop a fully prived account from
> reading memory under this scenario. It is a bad operating system that lets
> this happen. Given the say Linux was developed, it is easy for something
> like this to sneak through. Linux is a great o/s, but you get what you pay
> for here. The reason it is so popular is that it is so inexpensive. This
> is not an issue in AIX, Sparc, or HP/UX. They cost money because they have
> been designed and tested. They did not start out life as an alternative to
> windows.
>
>
>
> Wrapper on every syscall is probably the fastest fix. It is
> far from the best fix. Hopefully they will put in the correct fix.
>
>
>
> Liz
>
>
>
> *From:* oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_
> freelists.org] *On Behalf Of *Mark W. Farnham
> *Sent:* Friday, January 05, 2018 8:38 AM
> *To:* niall.litchfield_at_gmail.com; andrew.kerber_at_gmail.com
> *Cc:* 'fmh'; 'ORACLE-L'
> *Subject:* RE: Meltdown and spectre
>
>
>
> This also poses what I think is a relevant question for folks who place
> their physical RDBMS server(s) securely and only have privileged logons
> anyway. (You really can’t stop a fully privileged account from viewing
> memory or any other resources anyway and only in memory encryption can
> frustrate that if a bad actor has gained a privileged access to a server.)
>
>
>
> So, will there be an “insecure” patch to skip the overhead and rely on
> server access control?
>
>
>
> Then we can have a fresh round of the debate about whether “physical” or
> “virtual” is faster with the playing field thus tilted significantly in
> favor of “physical.”
>
>
>
> I also wonder for “virtual” servers whether this could be merely a
> “hypervisor” patch (which in ring security theory dating back to the 1970’s
> could establish a memory address bounded area at the privileged account
> layer (which should be a heckuva lot cheaper than a wrapper on every
> “syscall.”)
>
>
>
> DTSS is lookin’ pretty good right now. Still it was our own fault for not
> explaining clearly to enough to management that 100 million (plus) copies
> at $39.95 each was more than 12 copies at $10 million each. Sigh.
>
>
>
> mwf
>
>
>
> *From:* oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_
> freelists.org <oracle-l-bounce_at_freelists.org>] *On Behalf Of *Niall
> Litchfield
> *Sent:* Thursday, January 04, 2018 10:58 AM
> *To:* andrew.kerber_at_gmail.com
> *Cc:* fmh; ORACLE-L
> *Subject:* Re: Meltdown and spectre
>
>
>
> There absolutely should be an OEL patch for this - for the RH kernel
> they'll probably take upstream - for UEK I'd expect an Oracle patch. I'd
> expect Oracle shops to be regression testing to determine the likely impact
> on RDBMS (and java app for that matter) performance.
>
>
>
> On Thu, Jan 4, 2018 at 3:40 PM, Andrew Kerber <andrew.kerber_at_gmail.com>
> wrote:
>
> I was wondering the same thing. But I dont think its up to Oracle to patch
> this, its going to be at the OS and firmware level. But everything I read
> says that its going be a huge performance hit, anywhere from 10-50%, and
> the higher end will be on IO bound systems.
>
>
>
> On Thu, Jan 4, 2018 at 9:33 AM, Fred Habash <fmhabash_at_gmail.com> wrote:
>
> Checked Oracle security bulletins but didn't find anything related. Did
> Oracle release an official statement for these vulnerabilities at least for
> the RDBMS and OEL.
>
>
>
> Thanks
>
>
>
>
> --
>
> Andrew W. Kerber
>
> 'If at first you dont succeed, dont take up skydiving.'
>
>
>
>
>
> --
>
> Niall Litchfield
> Oracle DBA
> http://www.orawin.info
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.orawin.info&d=DwMFaQ&c=j-EkbjBYwkAB4f8ZbVn1Fw&r=yWMFosURAngbt8VLeJtKLVJGefQxustAZ9UxecV7xpc&m=Ent2QwI0UZIJhxZc_4tIFF6zE5BswrZloZ3PSouSC-s&s=tG0aJf6IYCqHy0hWApVNL3Fgpp7csC57ox5qflq6Org&e=>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Jan 05 2018 - 18:18:21 CET

This message: [ Message body ]
Next message: Tim Hall: "Re: Meltdown and spectre"
In reply to Reen, Elizabeth : "RE: Meltdown and spectre"
Next in thread: Tim Hall: "Re: Meltdown and spectre"
Reply: Tim Hall: "Re: Meltdown and spectre"
Reply: Mark W. Farnham: "RE: Meltdown and spectre"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message