Now that RSA have released the Red Hat kernel patches for side-channel analysis attacks (also known as Meltdown and Spectre), I would like to know the performance impact that these kernel changes could potentially have.
This is regarding Netwitness for Logs & packets (Security Analytics 10.6.x) on physical appliances.
There are plenty indications and evidence that some patches for these vulnerabilities can cause CPU performance degradation and/or unexpected reboots. So my main question is whether this has been tested against and what would be the remediation should we discover that the hardware appliances are not fit for purpose anymore, after installing the kernel patch?
For example, both Series 4S and 5 physical Log Decoder can handle 30K EPS sustained and much higher peaks with minimal parsers&feeds enabled. What are the figures post-patching?
Since RSA NetWitness Suite (Logs / Packets) is a singe, root-user-only appliance, the reported vulnerabilities do not introduce any additional security risk to our solution or the customer's environment because a root level user already has full access to all information on the system. Full impact statements for all RSA's products can be found at: https://community.rsa.com/docs/DOC-85418
Regardless, we did include the kernel patches for these vulnerabilities in the 10.6.5.1 patch update and these updates will be available shortly in 188.8.131.52. Our testing has not shown any negative impact to the performance of the solution.
The kernel patches do not fully address Spectre (Variant 2), CVE-2017-5715 as this also requires a firmware update. As you state, the 1st round of firmware updates were reported to cause performance and stability issues and these were recalled by Dell as a result. Once updated firmware is available, we will be testing to understand what (if any) impact these cause to the performance of the RSA NetWitness Suite and providing additional guidance to customers.
I would prefer to avoid having a political debate regarding the NW hardware appliances being affected when there are 30+ non-root users and no restriction of any kind from RSA to have additional non-root users for administration of the system.
Security professionals, pen-testers and auditors can make their own judgement based on the available evidence, from RSA and through open-intel channels.
Thanks for the confirmation regarding the performance impact, I will continue testing this on both virtual and physical and report back should I find anything different from what you have claimed.