The Spectre (Variant 1 & 2) and Meltdown (Variant 3) threats that target speculative execution on all CPU’s will affect IBM Power7, Power7+, Power8 and Power9 systems and IBM has stated that it will have firmware patches for Power Systems available but does not state if its patches will cover all three variants of the vulnerabilities. IBM has not issued fixes for Power6, Power6+, and Power7 systems.
What is not known at this time is what kind of performance impact the fixes for Spectre and Meltdown will have. It will probably depend on the nature of the CPU architecture, the way the memories are isolated and checked to keep users out of kernel space, and the way the applications make use of speculative execution.
It is possible that systems that are CPU or memory bound are going to thrash after the fixes are applied. Our advice is to benchmark the throughput of your system for some period of time before applying the patches, apply the patches and then run the tests again so that you fully understand and can document the impact.
As of January 13th, IBM has released operating system patches for IBM i 7.1, 7.2 and 7.3 to compliment the firmware patches for POWER7+ and POWER8 processors already released. Both the IBM i and firmware patches must be applied in order to mitigate the Spectre and Meltdown vulnerabilities. These PTFs: MF64553 (7.1), MF64552 (7.2), and MF64551 (7.3) were added to the latest Group Security and HIPER Group PTF packages as of January 26th.
In addition, IBM has released additional operating system patches for IBM i 7.1, 7.2 and 7.3 on January 26th, MF64571, MF64565, and MF64568 respectively.
Our opinion at iTech is that most customers will eventually receive these patches by way of updating their HIPER and/or Security PTFs. It’s inevitable. After patching, IBM i customers with excess capacity should not see much in the way of any performance degradation. It’s likely to be noticeable at all. However, overloaded systems that are already taxed for performance may experience adverse effects by applying these fixes. If you’re unsure how taxed your system is then please contact us for a performance assessment before applying any of these PTFs.
Please keep watching the PSIRT blog for further developments.
The good news is that you have to be an authorized user in order exploit these vulnerabilities. Security from the IBM i level to your firewall is more important than ever. While there has been no documented case of someone breaching IBM i security without a user ID and password, there are many ways to gain access to an IBM i partition if adequate security measures are not followed. Hardening IBM i isn’t just moving from QSECURITY level 30 to 40. A properly hardened system should include, but certainly not limited to, the following basic measures:
Password level security – Ensure your system can use up to 128 characters for a password. The default 10 character limit of QPWDLVL 0 is not good enough.
NetServer – Ensure that no guest account exists for IBM NetServer. This will allow anyone access to your IBM i partition file shares without a user ID and password. This, combined with sharing the root (/) of your IFS can be extremely dangerous. Furthermore, if you’re on 7.1 or older version of IBM i then you are using the SMB1 protocol for file sharing. SMB1 has been deemed insecure for many years now.
Encryption – If you communicate to and from your IBM i in plain text then the length of your password does not matter. There is no excuse to encrypt your IBM i communication for any service accessed over the network which passes user IDs, passwords or other confidential information.
PTF and operating system currency –Technology that has not been patched or updated runs the risk of being compromised. This is especially true if you use open technology such as Java, OpenSSL and Apache. Java 6 and Apache 2.2 went out of support two weeks ago…have you removed Java 6 yet? Have you upgraded to 7.2 to move to Apache 2.4?
The Spectre and Meltdown vulnerabilities are perhaps the biggest security problems in the history of modern computing, but if you’re not covering the basics you may have bigger and more pressing security problems to worry about.