Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA] mitigation for CVE-2017-5754 Variant 3/Meltdown can cause performance issues

0

0

Article ID: KB34127 KB Last Updated: 05 Apr 2019Version: 2.0
Summary:
When users are patching to JSA version 7.3.1 patch 4 and above, they get the following prompt:

"This update contains a mitigation for CVE-2017-5754 Variant 3/Meltdown provided by Red Hat that can impact search performance. Administrators must read the release notes before they install this update.

Choices:
1) Enable: Turn ON the mitigation for Variant 3/Meltdown on all appliances.
2) Disable: Turn OFF the mitigation for Variant 3/Meltdown on all appliances. IF YOU CHOOSE NOT TO ENABLE THIS UPDATE TO ADDRESS CVE-2017-5754, YOU WILL NOT HAVE ANY PROTECTION AGAINST VARIANT 3/MELTDOWN.
3) Terminate patch."

Symptoms:

Performance assessment summary
Administrators can expect performance degradation after they enable the mitigation for the vulnerability.

  • A 3% to 6% increase in CPU utilization has been observed across all workloads on appliances after the mitigation applied.
  • Search performance for most common search types has been observed to degrade by 0% to 10%, with the following exceptions:
    • Searches that use indexed criteria and match a moderate number of results (less than 10% of the total searched data set) are expected to be degraded between 3% to 20%.
    • Open-ended searches that have no limit applied to the query and return a very large number of results (30% of the total searched data set or more) are expected to be degraded by up to 2x.
    • The impact on data processing is estimated to be in the 0% to 20% range.
    • High availability on 1 GB network is not affected. The initial high availability setup speed and catch-up replication speed after fail-over will be lower on 10 GB network. However, the replication rate is still in the multiple hundreds MB/s, which is sufficient for real time replication.
For more information about how to create a baseline to measure the performance impact specific to your deployment, please see KB34131.
Cause:
CVEID: CVE-2017-5754 (Variant 3/Meltdown)

MITIGATION: An installation prompt is provided to enable or disable this mitigation on appliances. A utility is also provided to allow administrators to enable or disable the mitigation for CVE-2017-5754 (Variant 3/Meltdown) post-installation, see the installation wrap-up for further details. Juniper cannot be held responsible for risks incurred by administrators who do not enable the mitigation of CVE-2017-5754 (Variant 3/Meltdown).
IF YOU CHOOSE NOT TO ENABLE THIS UPDATE TO ADDRESS CVE-2017-5754, YOU WILL NOT HAVE ANY PROTECTION AGAINST VARIANT 3/MELTDOWN.

DESCRIPTION: Intel Haswell Xeon, AMD PRO and ARM Cortex A57 CPUs could allow a local authenticated attacker to obtain sensitive information, caused by a rogue data cache load in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to cause the CPU to read kernel memory from user space before the permission check for accessing an address is performed.

IMPACT: Search performance degradation has been observed on appliances when the mitigation for Variant 3/Meltdown is enabled.
Solution:

Due to the potential search performance change when CVE-2017-5754 (Variant 3/Meltdown) is enabled, the installation of JSA 7.3.1 Patch 4 includes a utility to allow administrators to enable or disable the mitigation after the initial installation/patch completes. Administrators must be aware of the security implications if they choose to use this utility to disable the mitigation for CVE-2017-5754 (Variant 3/Meltdown). Juniper cannot be held responsible for risks incurred by administrators who choose to disable the mitigation for CVE-2017-5754.

  • To enable the mitigation on all hosts from the JSA Console, type: /opt/qradar/bin/configure-spectre-meltdown-fixes.sh enable-all
  • To enable the mitigation on an individual appliance, SSH to the individual appliance and type: /opt/qradar/bin/configure-spectre-meltdown-fixes.sh enable 
  • To disable the mitigation on all hosts from the JSA Console, type: /opt/qradar/bin/configure-spectre-meltdown-fixes.sh disable-all
  • To disable the mitigation on an individual appliance, SSH to the individual appliance and type: /opt/qradar/bin/configure-spectre-meltdown-fixes.sh disable 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search