On Jan 3, 2018, Google’s Project Zero team along with several other university researchers identified several security issues with speculative execution, an optimization technique used in microprocessors to improve performance.

Couchbase is aware of the recently disclosed class of processor/OS vulnerabilities such as Meltdown and Spectre. These affect modern processors and operating systems including Intel, AMD, and ARM. This article explains how these kinds of vulnerabilities can affect any user-space application such as Couchbase.

Vulnerability Assessment

Two variants of vulnerabilities associated with speculative execution have been disclosed. The vulnerabilities allow attackers to exfiltrate confidential information from the kernel or from other processes via a side-channel.

Meltdown exploits side-effects of out-of-order execution to break the isolation between user applications and the operating system, allowing an application to access the memory of another application, as well as system memory.

Spectre exploits vulnerabilities in speculative execution to break the isolation between applications, allowing one application to access memory associated with another, which can then be leaked through a side channel.

Successful attacks run malicious processes on the same host and processor as their target victim. As such, where applicable, policing access to machines and physical machine security can be effective temporary mitigation against these attacks.

To fully mitigate these vulnerabilities, the operating system must be patched with recent kernel fixes. It also may be necessary to enable these patches and update the processor firmware. To ensure protection, Couchbase strongly recommends that customers consult their hardware and OS vendors for the specific steps to take.

Securing the Stack

As with other applications running in user-space, Couchbase and other database technologies may get affected by these vulnerabilities.

The following table outlines what customers should do, depending on the environment in which Couchbase is running. Couchbase recommends customers deploy fixes using normal procedures to validate new binaries before deploying to production environments.

Scenario Description	Couchbase Recommendation(s)
Couchbase is run on bare metal (no virtual machines). And no other untrusted application logic (application tier) is run on the same machine	Apply Linux/Windows OS patches Consult with your Linux/Windows OS vendor about whether and how to enable the firmware changes. (see below for references)
Couchbase is run in a virtual machine in a public hosting environment	On each of the supported cloud providers (AWS, Azure & GCP) we are in the process of updating pre-configured images to include the latest OS patched version. Customers not using those pre-configured images should refer to cloud providers for guidance on applying OS patches.
Couchbase is run in a virtual machine in a private hosting environment	Apply Linux/Windows OS patches Consult with your Linux/Windows OS vendor about whether and how to enable the firmware changes. Additionally, we recommend isolating Couchbase Server on dedicated physical hardware. (see below for references)
Couchbase is run in a physical or virtual machine. NOT isolated from other application logic running on the same machine	Apply Linux/Windows OS patches Consult with your Linux/Windows OS vendor about whether and how to enable the firmware changes. We recommend restricting the use of or blocking untrusted code from executing on the machine. (see below for references)

Performance Advisory

Couchbase continues to evaluate performance on the patched binaries. The Meltdown OS kernel patch prevents leaking OS kernel memory. However, it may also change the way it interacts with the processor, degrading performance.

The degradation is highly workload-dependent (consistent with the early reports from Intel), and Couchbase recommends testing in your environment before production deployment. This may also involve moving to a more powerful CPU machine to take the extra load if needed.

References

AWS – https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
Microsoft Windows – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
MAC OS – https://support.apple.com/en-us/HT208394
Red Hat Enterprise Linux – https://access.redhat.com/security/vulnerabilities/speculativeexecution
Ubuntu Linux – https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
Debian Linux – https://security-tracker.debian.org/tracker/CVE-2017-5754
SuSE Linux – https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities

Contact us

If you need to talk to us about this issue, contact us at support@couchbase.com.

Anil Kumar, Director Product Management, Couchbase Cloud-Native Database

Author

Posted by Anil Kumar, Director Product Management, Couchbase Cloud-Native Database

Anil Kumar is the Director of Product Management at Couchbase. Anil’s career spans more than 19+ years of building software products across various domains, including enterprise software and cloud services. He is a hands-on product leader responsible for Couchbase Server, Couchbase Cloud, and Kubernetes product lines, including evangelizing the product strategy and vision with customers, partners, developers, and analysts. Before joining Couchbase, Anil spent several years working at Microsoft Redmond. Anil holds a master’s degree in computer science from the University of Toronto (Canada) and a bachelor’s in information technology from Visvesvaraya Technological University (India).

All Posts

Products

See How Capella Stacks Up

See How Capella Stacks Up

By Industry

By Need

Why NoSQL

What is NoSQL and why choose it?

Popular Docs

By Developer Role

Capella Playground

Start A Free Capella Trial

Resource Center

Education

Certification Exams 2023

Get Couchbase certified

About

Partnerships

Our Services

Partners: Register a Deal

Ready to register a deal with Couchbase?

Marriott

Speculative Execution Vulnerabilities – Meltdown & Spectre