On Jan 3, 2018, Google’s Project Zero team along with several other university researchers identified several security issues with speculative execution, an optimization technique used in microprocessors to improve performance.

Couchbase is aware of the recently disclosed class of processor/OS vulnerabilities (Meltdown and Spectre) affecting modern processors and operating systems including Intel, AMD, and ARM. This article explains how these kinds of vulnerabilities can affect any user-space application such as Couchbase.

Vulnerability Assessment

Two variants of vulnerabilities associated with speculative execution have been disclosed. The vulnerabilities allow attackers to exfiltrate confidential information from the kernel or from other processes via a side-channel.

Meltdown exploits side-effects of out-of-order execution to break the isolation between user applications and the operating system, allowing an application to access memory of another application, as well as system memory.

Spectre exploits vulnerabilities in speculative execution to break the isolation between applications, allowing one application to access memory associated with another, which can then be leaked through a side channel.

For these attacks to be feasible, attackers must be able to run malicious processes on the same host and processor as the victim processes. As such, where applicable, policing access to machines and physical machine security can be an effective temporary mitigation against these attacks.

In order to fully mitigate these vulnerabilities, it is necessary to patch the operating system to include recent fixes to the kernel. It also may be necessary to enable these patches (though it appears many vendors will do this by default) and to update the processor firmware. Couchbase strongly recommends that customers consult with their hardware and OS vendors for the specific steps needed to ensure they are protected.

Securing the Stack

As with other applications running in user-space, Couchbase and other database technologies may get affected by these vulnerabilities.  

The following table outlines what customers should do, depending on the environment in which Couchbase is running. Couchbase recommends customers deploy fixes using normal procedures to validate new binaries before deploying to production environments.

Scenario DescriptionCouchbase Recommendation(s)
Couchbase is run on bare metal (no virtual machines) AND no other untrusted application logic (application tier) is run on the same machine
  1. Apply Linux/Windows OS patches
  2. Consult with your Linux/Windows OS vendor about whether and how to enable the firmware changes.

(see below for references)

Couchbase is run in a virtual machine in a public hosting environmentOn each of the supported cloud providers (AWS, Azure & GCP) we are in the process of updating pre-configured images to include latest OS patched version.

Customers not using those pre-configured images should refer to cloud providers for guidance on applying OS patches.

Couchbase is run in a virtual machine in a private hosting environment
  1. Apply Linux/Windows OS patches
  2. Consult with your Linux/Windows OS vendor about whether and how to enable the firmware changes.

Additionally, we recommend isolating Couchbase Server on dedicated physical hardware.

(see below for references)

Couchbase is run in a physical or virtual machine and is not isolated from other application logic running on the same machine
  1. Apply Linux/Windows OS patches
  2. Consult with your Linux/Windows OS vendor about whether and how to enable the firmware changes.

We recommend restricting use of or blocking untrusted code from executing on the machine.

(see below for references)

Performance Advisory

Couchbase continues to do performance evaluation on the patched binaries. While the Meltdown OS kernel patch prevents the chip’s kernel from leaking memory, it may bring some changes to the way the OS interacts with the processor, resulting in some performance degradation.

The degradation is highly workload-dependent (consistent with the early reports from Intel), and Couchbase recommends testing in your environment before production deployment. This may also involve moving to a more powerful CPU machine to take the extra load if needed.


Contact us

If you need to talk to us about this issue, contact us at support@couchbase.com.

Posted by Anil Kumar, Director Product Management, Couchbase Server

Anil Kumar is the Director of Product Management at Couchbase. Anil’s career spans more than 15+ years building software products across various domains, including enterprise software, mobile services, and voice and video services. He is a hands-on product leader responsible for Couchbase Server, Couchbase Cloud, and Kubernetes product lines, including evangelizing the product strategy and vision with customers, partners, developers, and analysts. Before joining Couchbase, Anil spent several years working at Microsoft Redmond in the Entertainment division and most recently in the Windows and Windows Live division. Anil holds a master’s degree in computer science from the University of Toronto (Canada) and a bachelor’s in information technology from Visvesvaraya Technological University (India).

One Comment

  1. Is your Malwarebytes creating some difficulties these days? Is your Malwarebytes unable to start at times? Do you find it difficult to carry out a custom scan? Whatever the problem, you now have full Malwarebytes support available to you on your own phone and any queries visit the web portal. https://www.assistanceforall.com/services/antivirus-support/malware-bytes-support/

Leave a reply