What Spectre and Meltdown mean for OX Customers

Jan 12, 2018


The recent Spectre and Meltdown vulnerabilities have created a great deal of uncertainty and questions about whether and how they affect software such as that provided by Open-Xchange. The vulnerabilities are complex and subtle in terms of how they can be exploited, but in terms of how OX software and services (OXaaS) are affected, the following statements should help to understand the impact.

OX Software - Both Spectre and Meltdown rely on the ability to run “untrusted” (i.e. controlled by the attacker) code on a host. OX Software, including AppSuite, Dovecot and PowerDNS does not provide a mechanism for untrusted code to run on the servers which host that software. Thus attackers cannot access information stored in the memory of servers running OX software solely by using the Spectre or Meltdown vulnerabilities.

OXaaS - Spectre/Meltdown do provide a possible attack vector for Virtual Machines under the control of an attacker to access information about other Virtual Machines hosted on the same physical server. This particular scenario is applicable in a public cloud infrastructure, however OXaaS runs in a completely private cloud infrastructure, where all Virtual Machines are under the control of Open-Xchange and thus there is no ability for attackers to gain access to the memory of such servers solely by using Spectre or Meltdown.

It should be noted that the various workarounds/fixes (particularly the Kernel Page Table Isolation patch (KPTI)) for Spectre and Meltdown almost certainly will have some performance impacts for software, including OX Software. The impact of these will vary over time. Early measurements for PowerDNS Recursor server indicate a potential 10% performance impact for example, which seems to be matched by other reports, but over time as the workarounds evolve, they may become less performance impacting.

It is up to customers whether they actually install (or enable) workarounds for Spectre/Meltdown, including the KPTI patch. For example, customers using completely private compute environments, who are sure that there is no way to run untrusted code on those servers, may feel that the performance slowdown is not worth it; however every environment should be evaluated on its own merits. According to the following blog by Google, they have implemented the KPTI patch on all their production servers, with negligible impact on performance.

About the author

Neil Cook

Neil Cook

PowerDNS Head of Product

Related Articles

From Latin America to the Far East

The summer of TES in 2018 goes all around the planet – and for a project that was born in the heart of Europe, this is a...

Vittorio Bertola Aug 28, 2018

Keeping your family safe and secure online

Securing all of the various devices in your home is vital to prevent cyber-attacks and to close gateways to harmful content....

Alexander ter Haar Aug 27, 2018

Introducing OX Summit Partner: Vade Secure

According to Cofense, a successful phishing attack costs a mid-sized organization $1.6 million on average. Moreover, FBI...

Frederic Maussion Aug 21, 2018

IoT security is not A-OK

Everyone knows that the internet can be a dangerous place. Phishing continues to increase in volume and effectiveness,...

Neil Cook Aug 9, 2018