Last week I wrote about the Meltdown and Spectre vulnerabilities. Today I want to show you how to check if your database server is protected against Meltdown and Spectre.
Since last week I’ve seen a lot of scare tactics and knee-jerk reactions to Meltdown and Spectre. My post last week was meant to help keep everybody calm. I want you to understand that there *could* be a performance hit, but you won’t know unless you test. If you are afraid to test then you have more issues than just a chipset flaw. I also wanted you to understand the level of risk for your server to be compromised. Chances are it’s a small risk, so you might be able to avoid patching right away.
But you should patch anyway. There are few reasons why you would not want, or be able, to patch. And in those cases you will want to take extra measures to ensure your server will not be compromised.
As it turns out the word “patching” is overloaded with meaning. This is leading to confusion with users thinking they are protected, but they have not installed the correct patches.
To be fully protected from Meltdown and Spectre you need to install a patch from the manufacturer of your PC or server in addition to the software patches for your OS. You need both, just having one won’t be enough. And you are only going to get the microcode update form the manufacturer website at this time. You will need to install this update manually, outside of Windows Update. Microsoft has made this very clear, that you need distinct updates.
How to Check if Your Database Server Is Protected Against Meltdown and Spectre
Microsoft has made available a Powershell script to use to check if your system is protected. That KB article also tells you that you need two distinct updates. I can’t stress that point enough here: you need two updates.
Let’s get started with the Powershell script. We will right-click on the Windows menu (I’m on my Surface here) and launch Powershell as an Administrator:
Next, we need to install the module. We can do that with the following command:
Install-Module SpeculationControl
I had to click ‘Y’ to trust the repository, you will likely need to do the same. Next, we need to make sure our execution policy is configured. So, let’s run the following command:
Set-ExecutionPolicy RemoteSigned -Scope Currentuser
Now, we should be able to import the module, then run the command:
Import-Module SpeculationControl
Get-SpeculationControlSettings
And this was my result:
As you can see, I have the Windows update, but not the hardware update. Looks like I have some work to do to be protected.
How to Get the Patches
Here’s the current list of places you need to check for patching against Meltdown and Spectre.
For Windows:
Here is the Windows KB article: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
The Windows Update patches can be found at Settings > Update & security > Windows Update. Click “Check for updates” to install any available updates.
For Red Hat Linux:
Red Hat has a page dedicated to the issue, complete with a long list of patches available. If you are running something other than RHEL, you should be able to find a patch from wherever you got your distribution from.
For SQL Server:
Here is the SQL Server KB article: https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server
That KB article lists all the available patches for the affected and supported versions of SQL Server. I’d rather you reference that KB article than a long list of patches here.
For CPUs:
The hardware updates should be located on the website of the manufacturer. For example, here is the page for Dell, and for HP. You can find a comprehensive list of manufacturers at https://meltdownattack.com/
Lastly, you will want to patch your browsers, too. If there is one thing we can all learn from Meltdown and Spectre it is this: keep your software up to date.
good one Tom. But MacAfee and Microsoft withdrew their first set of patches…so we are back to square one….
*sigh*
It’s gonna be OK.
Very interesting. Just I had to run something extra 🙂 And my result is a little worse than yours… less green, more red 🙂 But It’s very useful! https://uploads.disquscdn.com/images/a46cfd5ce9ad2b4530a0abe51615b03b692db5f040a968c551b798b760b85906.png
Yes, I forgot about the NuGet error. So, you may have to click ‘Y’ twice before you can install the module. Once for NuGet and once to trust the repo.
Thanks for the reminder!
Happy to help!
Oracle have never designed it to be protected 100%. They want it to make sure you still have something to do DBA’s . So apply your patches Gentlemen and put a big smile….
…and cross your fingers…
So we only need one update? JK! Thanks for clarifying.
Welcome!