Thursday, January 11, 2018
MongoDB has been made aware of multiple hardware issues (speculative execution side channel attacks in CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, also known as Spectre and Meltdown) that are being contained with operating system (OS) patches. Systems left unpatched could allow control bypass in the microprocessor architecture and unauthorized access to privileged memory.
Cloud infrastructure service providers have deployed global updates to address these vulnerabilities in recent months. MongoDB vendors report they already have completed patching. We are unaware of any critical security impact in MongoDB software, including Atlas. Security is a top priority at MongoDB and engineering continues to assess the situation including ongoing evaluation of the performance impact of the patches.
MongoDB has measured a post-patch mongod performance degradation range of 10-15%. This range is based on the results of a well-known performance benchmark called YCSB. We will continue to measure this range against new performance baselines. Some OS patches are still evolving and subsequent versions may alter system performance profiles.
Customers have asked MongoDB to make performance impact assessments for specific application workloads. While we plan for additional measurements and to report relevant findings, specific performance assessments can be accurately conducted only in the field with customer-developed application benchmarks. Such tests presumably would use a composition of features, methods and data relevant to a customer system that a standardized performance benchmark will not simulate. The YCSB results indicate a magnitude of change for a particular kind of workload. However, there are many different workload patterns in use in the field; no single test can be guaranteed a good fit model for all of them.
Please reference the following resources for more information:
- Security patch updates
- Intel: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088
- AMD: http://www.amd.com/en/corporate/speculative-execution
- ARM: https://developer.arm.com/support/security-update
- Apple: https://support.apple.com/en-us/HT208394
- Google: https://support.google.com/faqs/answer/7622138
- CoreOS: https://coreos.com/blog/container-linux-meltdown-patch
- Amazon: https://alas.aws.amazon.com/ALAS-2018-939.html
- Microsoft OS: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
- Microsoft Azure: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/mitigate-se
- VMware: https://www.vmware.com/security/advisories/VMSA-2018-0002.html
- RedHat: https://access.redhat.com/security/vulnerabilities/speculativeexecution
- Ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
- SuSE: https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/
- Performance benchmarks
- YCSB: https://github.com/brianfrankcooper/YCSB/wiki/Getting-Started
- NoSQL: https://www.mongodb.com/scale/nosql-performance-benchmarks
- High Performance NoSQL: https://www.mongodb.com/blog/post/high-performance-benchmarking-mongodb-and-nosql-systems
- Analyzing MongoDB 3.6 https://docs.mongodb.com/manual/administration/analyzing-mongodb-performance/