Protecting Apache Ignite from 'Meltdown' and 'Spectre' vulnerabilities
The world was rocked after the recent disclosure of the Meltdown and Spectre vulnerabilities that literally affect almost all software ever developed. Both issues are related to the way all modern CPUs are designed and this is why they have opened unprecedented security breaches -- making the software, including Apache Ignite, vulnerable to hacker attacks.
The vulnerabilities are registered in the National Vulnerability Database under the following CVEs:
How to protect Apache Ignite deployments?
First, the vulnerabilities can be fixed only on the operating system (OS) or hardware levels. All OS and hardware vendors are working on and releasing patches to fill-in the security breaches. Depending on the type of your Apache Ignite deployment, make sure to do the following:
- On-premise deployments - apply the patches prepared by your OS and hardware vendors. Consult with them to find out additional steps to act on. This page is a good place to start with.
- Cloud deployments - major cloud providers such as Amazon and Microsoft are in a process of patching their cloud computing services. Consider a cloud provider's security announcements and recommendations or follow up with a representative for suggestions.
Second, an Apache Ignite cluster becomes vulnerable to the attacks only if someone gets unauthorized access to cluster machines (both on-premise or cloud deployments) and executes a malicious shell script or connects to the cluster directly and executes a Java, .NET or C++ computation there.
Do the following to prevent this from happening:
- Make sure the cluster machines are secured with a hard-to-guess or hard-to-calculate password.
- Consider using 3rd party security components provided by enterprise vendors (such as this one) to strengthen a security shield of your deployments.
Finally, researchers who discovered Meltdown and Spectre have said that the first issue can be fixed with software patches while the second can be fully addressed only with hardware upgrades/replacement. Luckily, it's much more difficult for hackers to exploit Spectre. Thus, if the two recommendations given above are taken seriously, the chances that you will be impacted from Spectre are low.
What is the performance impact of security patches?
Many security patches are rolled out with a precaution that some of the applications can see up to a 30% performance degradation. Apache Ignite community is planning to measure the impact of general usage scenarios and will follow up with the results in a consequent post.
This general performance testing might not cover your use case. Therefore, it's highly recommended that you assess and test a possible performance drop of your Apache Ignite deployments before applying the patches in production. If the drop is significant, then contact us on the dev list.