NGINX Response to the Meltdown and Spectre Vulnerabilities
This week, some details about security flaws in several microprocessors were publicly shared; a full disclosure is expected to follow. The flaws take several forms, and have been named Meltdown and Spectre.
You can find more information about the scope of both Meltdown and Spectre here: https://meltdownattack.com/
A process (application) running on a server can use these flaws to access the protected memory used by other processes. The bugs can be exploited between processes and across containers, and even in some cloud and virtual environments.
Like all other processes, NGINX memory is vulnerable to snooping from another process running on the same host. For servers you control, NGINX strongly recommends that you apply the appropriate OS patches to protect against this. For cloud providers, and other platform providers that you use, we strongly recommend that you verify that your provider has applied these patches.
As far as we are aware, NGINX itself does not provide an attack vector that a remote user could use to exploit this vulnerability. Even if such an attack vector were discovered, it may not be possible to prevent it, so applying the recommended OS patches is a priority.
The appropriate advisories are listed here: https://meltdownattack.com/#faq-advisory.
We also advise rotating sensitive data — such as authentication credentials and private keys — stored on vulnerable hardware, because both local attacks and remote attacks are generally impossible to detect. This should be a higher priority for cloud-hosted servers, where it may be easier to mount such attacks.
Once the patches are applied, processes that perform large numbers of system calls will reportedly incur a performance penalty due to the impact of the patches. NGINX, for example, may therefore require additional CPU resources; you should monitor the effect of the patch and be prepared to scale up or scale out if necessary.
We are closely following details of these vulnerabilities and will update this notice as more details emerge.
Further reading:
- Meltdown and Spectre attacks: https://meltdownattack.com/
- Advisories: https://meltdownattack.com/#faq-advisory
- CVE-2017-5754: https://nvd.nist.gov/vuln/detail/CVE-2017-5754
- CVE-2017-5733: https://nvd.nist.gov/vuln/detail/CVE-2017-5753
- CVE-2017-5715: https://nvd.nist.gov/vuln/detail/CVE-2017-5715
- Reading privileged memory with a side channel: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
- Details on performance impacts: https://access.redhat.com/articles/3307751
- Controlling performance impacts: https://access.redhat.com/articles/3311301
The post NGINX Response to the Meltdown and Spectre Vulnerabilities appeared first on NGINX.
Source: NGINX Response to the Meltdown and Spectre Vulnerabilities
Leave a Reply