Addressing the Spectre and Meltdown Vulnerabilities (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) for CA Performance Management (CAPM)

Document ID : KB000115219
Last Modified Date : 26/09/2018
Show Technical Document Details
Introduction:
  • CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 identified security vulnerabilities in industry-wide "multiple microarchitectural (hardware) implementation issues affecting many modern microprocessors, requiring updates to the Linux kernel, virtualization-related components, and/or in combination with a microcode update.”
  • "An unprivileged attacker can use these flaws to bypass conventional memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. There are 3 known CVEs related to this issue in combination with Intel, AMD, and ARM architectures.” Ref: https://access.redhat.com/security/vulnerabilities/speculativeexecution
  • Note: This is for the first generation of Spectre & Meltdown vulnerabilities. If you are looking for the second generation vulnerabilities, that is discussed in the following KB article: Addressing the Second Generation Spectre and Meltdown Vulnerabilities (CVE-2018-3639) for the API Management Product Suite​
Question:
  • Are any of the CA Performance Management components vulnerable to the Spectre and/or Meltdown vulnerabilities?
  • Are there any sizing and capacity considerations for CA Performance Management components once the host operating system is patched?
Environment:
CA Performance Management
Answer:
Components currently known to be affected:
  • All components installed on Linux operating systems are exposed.
  • Customers will need to update the host operating system. The vendor of the host operating system should have issued such a patch. The components themselves do not require patching.
Workaround / Resolution:
Patches have been issued by host operating system vendors. Customers are advised to apply vendor-provided patches to hardware that is being used to run the CA Performance Manager components as they become available.
Customers need to update the kernel by performing the following steps:
  1. Access the affected CA Performance Management component host.
  2. Type sudo yum update and then verify and accept the update.
  3. Once the update has been completed, reboot the machine.
  4. Access the machine again.
  5. Verify that all three (3) CVEs have been fixed by typing rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Sizing and Performance Impacts:
Testing with the RedHat OS patches in house has shown minimal impact to the CAPM components (including Vertica DB)  CPU usage for our typical load test with the kernel default settings. These tests took place with our Intel Haswell CPU systems. Since the impact was minimal, no change to the sizing recommendations for CAPM components was warranted. Individual customers may see different results on CPU usage depending upon their particular user workload and their particular environment.
 
Additional Information:
Additional Information: Vertica statement on Meltdown & Spectre: https://my.vertica.com/blog/vertica-results-meltdown/