Over the last couple of days, you have probably heard quite a bit of chatter and speculation about some newly disclosed ways to attack various processors. The initial reports were that only Intel processors were affected, but some sources indicate that some AMD and ARM processors are also vulnerable.
Security researchers at Graz University (who were involved with the initial discovery of these issues) have put up a site, complete with cute logos, with some useful information about these two exploits. The most detailed information so far about the attack methods comes from Google Project Zero, as shown here: Reading privileged memory with a side-channel. Their testing shows some limited vulnerability for some older AMD processors.
AMD is pretty adamant that their processors are not vulnerable to these exploits, as shown by this statement from AMD’s Tom Lendacky:
“AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.
Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
Linus Torvalds also seems pretty confident that AMD is not affected, as witnessed by his comments in a recent code check-in:
“Exclude AMD from the PTI enforcement. Not necessarily a fix, but if AMD is so confident that they are not affected, then we should not burden users with the overhead”
Paul Alcorn has a pretty good write-up about this issue here. Yesterday, Phoronix published some early benchmark results against a patched version of Linux that were pretty alarming for some use cases (synthetic IO benchmarks and PostgreSQL database performance).
Redhat has published some information about the performance impact of OS fixes on several different workload types. The most notable is what they define as
“Measureable: 8-19% – Highly cached random memory, with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions are impacted between 8-19%. Examples include OLTP Workloads (tpc), sysbench, pgbench, netperf (< 256 byte), and fio (random I/O to NvME)”
More details about these findings and some mitigation methods for RHEL are available in these links:
Speculative Execution Exploit Performance Impacts – Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715
Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise Linux Tunables
It seems like the various fixes for these issues are going to hit database and virtualization performance harder than most other use cases. I wonder whether it will be possible for Intel to at least partially fix the issue with a stepping change on any Intel processors that are still in production (i.e. they make an actual hardware fix using the same existing processor design) that lets them send out replacement processors that work in some existing servers.
If you are old enough to remember the old Pentium FDIV bug in 1994, Intel initially tried to minimize the issue, saying that it was very rare. Then, they tried to make people prove that they were hitting the bug by running an Intel utility. Finally, they caved in to bad PR and ended up sending out replacement CPUs to a lot of people, no questions asked, which cost them $475 million back in the day. I remember swapping out my CPU, because I was a geek back then too!
Early this morning, Microsoft published this KB article: SQL Server Guidance to protect against speculative execution side-channel vulnerabilities. According to Microsoft, the following versions of SQL Server are impacted when running on x86 and x64 processor systems: SQL Server 2008, SQL Server 2008R2, SQL Server 2012, SQL Server 2014, SQL Server 2016, SQL Server 2017.
Microsoft has already issued two Cumulative Updates that include fixes to help mitigate this issue (along with the other important hotfixes included in each CU).
Cumulative Update 3 for SQL Server 2017
I suspect that there will be an out of band CU or hotfix for SQL Server 2014 SP2 relatively soon, since it is still in Mainstream support. Even though SQL Server 2012 and older are out of Mainstream support, Microsoft will probably develop and release hotfixes for those releases relatively soon since this is a security issue.
Microsoft has also started pushing out an out of band OS update for Windows 10 (KB4056892) that is meant to mitigate this issue. There are similar updates for most other supported Microsoft operating systems. Here is the current information for Windows Server:
Windows Server guidance to protect against speculative execution side-channel vulnerabilities
Here is Microsoft’s current security advisory advice:
ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
Microsoft has also released this statement about how they have been handling this for Microsoft Azure
Here is what I plan on doing over the next couple of weeks as this starts to shake out:
- Find out what Intel has to say about this issue (beyond this vague initial statement)
- Find out if possible, which Intel processor families are affected by the issue
- Find out whether newer Intel processor families are less affected than older Intel processor families
- Find out if Intel can fix the issue with a hardware change for current production processors like the Xeon Scalable Processor Family
- Do some before/after testing with CPU-Z, Geekbench, CrystalDiskMark, and DiskSpd to see how performance is affected by the patches
- Do some SQL Server testing with some common, easy tasks, such as big sequential reads, running DBCC CHECKDB, running full backups and restores to see how SQL Server is affected by the OS patch
Here is what I think you should be doing:
Plan on getting your database servers patched as soon as possible, which will include OS patches, SQL Server patches, and possible firmware or BIOS/UEFI updates as they become available.
Be ready to do some workload and query tuning as necessary if your workload performance is negatively affected by these various patches and updates.
Think harder about upgrading to new hardware, a newer version of your OS, and a newer version of SQL Server that is still fully supported.
For personal and client workstation systems, you should be checking to see if there are any firmware or BIOS/UEFI updates that become available, both for these issues and as a general best practice.
Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
I am collecting some resources about this issue from the server vendors as shown in the links below:
Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)
Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products (This is for client hardware)
CPU hardware vulnerable to side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Side Channel Analysis Method allows information disclosure in Microprocessors (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
Security Notice – Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design
12 thoughts on “Microsoft SQL Server Updates for Meltdown and Spectre Exploits”
I only see KB4056955 that relates to security and no others that talk about performance in SQL 2016 SP1 CU7. Am I not seeing something that would make me want to go to this CU? I am in the process of upgrading our SQL 2016 instances to SP1 CU6 currently.
There are only 14 hot fixes in SQL Server 2016 SP1 CU7. Microsoft recommends proactively testing and deploying SQL Server CUs as they become available. Especially since Microsoft Update will probably be pushing the security fix in SP1 CU7, I would probably want to test and deploy SP1 CU7 myself, on my own schedule.
Thank you so much for putting this together. Are you planning to update the article as you get more information? Very helpful.
Yes, I will update this.
The mitigations aren’t even enabled in Windows Server by default for performance reasons, you’ll have to apply the registry keys in the KB article…
Any idea what the patches in SQL Server actually do to mitigate the problem? Are they required for the updated Windows address layout?
The SCCM team tweeted about the SQL fix last Friday.
The issue we are seeing is the SQL patch changes the SQL clr behavior (as well as linked server), and #sccm needs those to work. #configmgr
So it appears to be what is in the SQL Guidance KB4073225. Look for CLR and Linked Server advice on page 3
any word on when the sql 2014 updates will be available?
I have not heard anything yet about the SQL Server 2014 or 2012 patches.
Interesting note on the DELL server site.
I’ve already applied the new BIOS to my 12G servers and DELL have gone and pulled it.
Getting interesting perform when using sys.dm_index_physical_stats when patched and enabled with HP firmware updated. This is a Intel® Xeon® Processor E5-2643 v3 Didn’t really notice much else running SQL 2012 SP4 on W2K12R2 until we updated the firmware.
I see a BIG hit on performance once the firmware is updated.