In case you forgot:

Meltdown and Spectre are the names of two serious security flaws that have been found within computer processors. They could potentially allow hackers to steal sensitive data without users knowing.   We previously posted this information back in January, and here is an update in full.

 

The fixes needed to protect against Meltdown and Spectre might have the unfortunate side effect of having significant performance impact on Windows and Linux operating systems.

 

What is Meltdown?:

 

Meltdown is a security flaw that could allow malicious software to illegally access memory that belongs to the kernel, or another software process. It works by circumventing the memory barriers between applications run in user space and kernel space by an attack involving speculative execution. A branch mis-prediction is provoked in one of several ways, causing the CPU to speculatively execute an illegal code sequence. This is caught by the CPU after the branch is executed, and subsequently rolled back. However, its effect on the hardware cache is not rolled back, and measuring the response time of various accesses to the cache can pinpoint what data was stored in the memory of the victim process through the address space of the adversary.

 

The software fix involves separating the memory page tables of the user space and kernel space, which inevitably leads to a negative performance impact on communication between user level applications and the kernel.

 

What is Spectre?

Spectre is a security flaw that affects modern microprocessors that perform branch prediction. It can be used to trick otherwise error-free applications into giving up secret information by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.

 

Mitigation:

 

The following table describes what needs to be done in Microsoft Windows environments to mitigate the Meltdown and Spectre security flaws.

 

Security flaw

 

 

Common Vulnerabilities and Exposures (CVE) ID

 

Exploit name

 

Public CVE name

 

Windows changes needed

 

Windows patches needed?

 

BIOS patches needed?

 

Spectre

 

CVE-2017-5753

 

Variant 1

 

Bounds Check Bypass

 

Recompile with a new compiler

Hardened browser to prevent exploit from JavaScript

 

No

 

No

 

Spectre

 

CVE-2017-5715

 

Variant 2

 

Branch Target Injection

 

New CPU instructions that eliminate branch speculation

 

No

 

Yes

SEE NOTE (2)

 

Meltdown

 

CVE-2017-5754

 

Variant 3

 

Rogue Data Cache Load

 

Isolate kernel and user mode page tables

 

Yes, see (1) below.

Patches:

 

No

 

(1) The operating system patches

have to be enabled in the Windows registry or they will not have any effect. See "Enabling protections on the server" here: https://support.microsoft.com/en-za/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution


How is Qlik software impacted?

Qlik products are built on top of underlying components such as Operating Systems (OS) and chipsets, therefore Qlik products will rely on the OS fixes for both Spectre and Meltdown to mitigate the security risks.

 

The Qlik Performance and Stability centre are in the process of testing both QlikView and Qlik Sense with operating systems and system BIOS patches that address the Meltdown & Spectre security flaws. Tests include measuring the load of concurrent users ranging from low to high load scenarios. High load in this case is a continuously growing number of concurrent users (up to 300) triggering light calculations with minimum think time between the clicks. The users avoided selecting cached values. The complete bandwidth of the system was tested since the processor needed to calculate every result, which meant that a queue of clicks to serve was built up.

 

The following conclusions are based on the results of the ongoing tests with currently available patches. We are sharing our conclusions here in the spirit of openness and transparency and they may change as more results are gathered.

 

Configuration

 

 

Conclusion

 

Qlik Sense on Windows

 

On dual-socket servers, the performance degrade was 4 - 14% (seemingly depending on the CPU generation).

On quad-socket servers, the performance degrade was smaller with the updated Spectre patch than with the original patch:

•The largest degrade was measured with hyper-threading enabled: the response time increased 8 - 60% (used to be 90% with the original patch).

•With hyper-threading disabled, the performance degrade was smaller, 5% - 40%.

•When testing the updated patch on a quad-socket server with fewer cores, the performance degrade was less significant. SEE NOTE (2)

 

QlikView Server

 

Results are similar to those for Qlik Sense.

On dual-socket servers, the performance degrade was 5 - 11%.

Based on the March 2018 test results, it is recommended to install the updated version of the Spectre patch. SEE NOTE (2)

 

NPrinting

 

No degrade for Qlik Sense.

A degrade of around 10% for QlikView Server.

 

(2) NOTE Important note regarding the Spectre patch: (update 2018-04-12)

 

The original Spectre patch, released in January 2018, caused stability issues and it is recommended not to install that patch. However, it is recommended to install the updated version of the Spectre patch, which was released in March 2018.

 

More information is available on Dell Knowledge Base http://www.dell.com/support/article/se/sv/sebsdt1/sln308588/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-emc-products-dell-enterprise-servers-storage-and-networking-?lang=en

 

Qlik will be retesting when new patches are available and will update this support blog in due course

 

Product Versions tested:

    Qlik Sense February 2018

    QlikView 12.20

    Qlik NPrinting February 2018 Release Candidate

 

 

Links:

For more information, please see the following pages:

Relevant research papers for deep diving:

Information on vendor fixes: