Security Update Regarding Meltdown and Spectre Vulnerabilities

    See more
    • Created

    Overview

    On Wednesday, January 3, 2018, Google Project Zero disclosed the existence of security vulnerabilities potentially impacting all major processor vendors. These vulnerabilities have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715).

    How is Acquia affected?

    Acquia uses instances that can be affected by Meltdown and Spectre. All customer applications on the Acquia Cloud platforms are subject to these vulnerabilities.

    What are we doing to mitigate the risks?

    Acquia began assessing the impact of the Meltdown and Spectre vulnerabilities as soon as the Google Project Zero disclosure became public. We are focused on mitigating the Meltdown vulnerability as the priority because it is more immediately exploitable than Spectre. Furthermore, additional work must be done by the hardware and OS vendors to patch the Spectre vulnerability.

    Acquia is planning to deploy Linux patches for Meltdown across the Acquia fleet within the next few weeks. We will send additional notices outlining the specific dates and impacts of this maintenance effort and its impact on your application soon.

    Public news sources have raised concerns that the OS patches addressing Meltdown may introduce a significant performance penalty. As part of Acquia’s mitigation plan, Acquia Engineering will be evaluating the performance impact of the patches so we can better inform our customers of the performance implications to aid in their planning.

    FAQ

    Q: What is the current status of the Acquia Cloud platform?

    Acquia is currently updating affected services to eliminate both of these vulnerabilities. Alerts will be added to the Acquia Cloud user interface to provide updates on our progress and you will receive email notices as we move along.

    Note: Customers with Acquia Cloud Enterprise applications will receive two notices for their non-production and production infrastructure. This was to facilitate applying security remediations to the most vulnerable portions of your applications as soon as possible, which necessitated patching Meltdown and Spectre separately for some instances. 

    Q: Will my application experience any downtime as a result of this security maintenance?

    Depending on the platform your application is running on, impacts may vary. Please review the following to determine what the impact will be for your application.

    Acquia Cloud Professional and Acquia Cloud Free applications

    • Acquia Cloud Professional applications will experience 30-60 minutes of downtime during this maintenance as your application reboots.

    • Load balancers will receive a reboot during this maintenance. This process is expected to complete in under 10 minutes. Varnish will continue to serve cached traffic during most of the update process. High volume applications with heavy reliance on Varnish and Memcache caching may experience temporary performance degradation while the cache rebuilds immediately after the update.

    • Additionally, tasks executed during your instances' reboots may fail if the necessary instance is unavailable at the time the task is triggered. Failed tasks will appear in your site's Acquia Insight interface on the Workflow page. Necessary tasks should be resubmitted to ensure they are completed.

    Acquia Cloud Enterprise applications

    • Load balancers will receive a reboot during this maintenance. This process is expected to complete in under 10 minutes. Varnish will continue to serve cached traffic during most of the update process. High volume sites with heavy reliance on Varnish and Memcache caching may experience temporary performance degradation while the cache rebuilds immediately after the update.

    • Sites with single tier staging and dev environments, those environments will be unavailable for approximately 5 minutes during their reboots.

    • Additionally, tasks executed during your instances' reboots may fail if the necessary instance is unavailable at the time the task is triggered. Failed tasks will appear in your site's Acquia Insight interface on the Workflow page. Necessary tasks should be resubmitted to ensure they are completed.

    Acquia Cloud Site Factory applications

    • Load balancers will receive a reboot during this maintenance. This process is expected to complete in under 10 minutes. Varnish will continue to serve cached traffic during most of the update process. High volume Site Factories with heavy reliance on Varnish and Memcache caching may experience temporary performance degradation while the cache rebuilds immediately after the update.

    • During this maintenance, Acquia Cloud Site Factory applications will experience a loss of high availability. This will impact the performance or availability of your application during periods of high traffic or in the rare event of a hardware failure.

    • Additionally, tasks executed during your instances' reboots may fail if the necessary instance is unavailable at the time the task is triggered. Failed tasks will appear in your Site Factory's Acquia Cloud interface on the Environment's page under Task Log. Necessary tasks should be resubmitted to ensure they are completed.

    Q: Is there any action I need to take to eliminate this vulnerability from my Acquia-hosted websites?

    No action is required on your part.

    Q: Does this maintenance cover both the Meltdown and Spectre vulnerabilities?

    Yes. As of 29 January 2018, we are patching for both Meltdown and Spectre.

    Q: My application appears to have taken a performance hit since you updated my infrastructure. Can you provide me any guidance on this?

    Some customers may find their applications experience an overall performance impact due to these necessary patches. Initial testing has determined performance impacts for some applications ranging from slight to significant. Many customers will not see any impact at all.  These impacts depend on a variety of factors:

    These factors include:

    • Size of file systems,

    • Complexity of databases,

    • high amounts of context switching,

    • high number of system calls.


    It is our recommendation where performance impacts are encountered that these customers upgrade their applications to a more robust, newer infrastructure in order to better support their application's needs.

    If you believe this applies to your application, please reach out to us via Acquia Support ticket or directly to your Account Manager and we will be happy to work with you.

    Q: My application infrastructure may need to be upgraded as a result of this work. What does that mean for me?

    If your application's infrastructure needs to be changed, your account manager will provide you with any relevant details.

    Additional Details

    For additional details regarding these vulnerabilities, please see Meltdown and Spectre Advisories.

    Additional Questions

    If you have any additional questions, contact Acquia Support by creating a ticket at https://insight.acquia.com/support.

    Release Date

    2018-01-04

    Related articles