This week, some details about security flaws in several microprocessors were publicly shared; a full disclosure is expected to follow. The flaws take several forms, and have been named Meltdown and Spectre.
You can find more information about the scope of both Meltdown and Spectre at https://meltdownattack.com.
A process (application) running on a server can use these flaws to access the protected memory used by other processes. The bugs can be exploited between processes and across containers, and even in some cloud and virtual environments.
As with all other processes, memory used by NGINX and NGINX Plus is vulnerable to snooping from another process running on the same host. For servers you control, NGINX, Inc. strongly recommends that you apply the appropriate OS patches to protect against this. For cloud and other platform providers that you use, we strongly recommend that you verify that your provider has applied these patches.
As far as we are aware, NGINX and NGINX Plus themselves do not provide an attack vector that a remote user can use to exploit these vulnerabilities. Even if such an attack vector were discovered, it may not be possible to prevent it, so applying the recommended OS patches is a priority.
The appropriate advisories are listed at https://meltdownattack.com/#faq-advisory.
We also advise rotating sensitive data – such as authentication credentials and private keys – stored on vulnerable hardware, because both local attacks and remote attacks are generally impossible to detect. This is a higher priority for cloud‑hosted servers, where it may be easier to mount such attacks.
Once the patches are applied, processes that perform large numbers of system calls reportedly will incur a performance penalty due to the impact of the patches. NGINX and NGINX Plus, for example, may therefore require additional CPU resources; monitor the effect of the patch and be prepared to scale up or scale out if necessary.
We are closely following details of these vulnerabilities and will update this notice as more details emerge.
- Meltdown and Spectre attacks – https://meltdownattack.com
- Advisories – https://meltdownattack.com/#faq-advisory
- CVE-2017-5754 – https://nvd.nist.gov/vuln/detail/CVE-2017-5754
- CVE-2017-5753 – https://nvd.nist.gov/vuln/detail/CVE-2017-5753
- CVE-2017-5715 – https://nvd.nist.gov/vuln/detail/CVE-2017-5715
- Reading privileged memory with a side channel – https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
- Details on performance impacts – https://access.redhat.com/articles/3307751
- Controlling performance impacts – https://access.redhat.com/articles/3311301