Spectre, Meltdown and your database server

If you haven't heard news about the detected low level vulnerabilities called Meltdown and Spectre, perhaps you are on a wrong planet. 

Both vulnerabilities have been recently in the focus of all mainstream media. They are quite severe, as all the blog posts and articles imply. The vulnerability is pretty much backed in to any CPU that has been on the market since mid nineties. Imagine that! 

The Meltdown can be to some degree patched with an operating system update, and this is what all major OS vendors are doing, as we speak. Spectre can be more tricky to fix, but at the same time, it is understood that it may be also more difficult to execute an attack using this vulnerability.

So, how is your database affected? It turns out, that if you are lucky to run bare metal dedicated server, there is a chance you are safe. A potential attacker would need to execute some rogue code on your database - but what is the likelihood of this?

If your database runs external, custom code, Java or .NET (CLR) on SQL Server, you may need to review the code, but again, the likelihood that there is anything running on your database that wants to collect all the passwords and other information stored in the kernel memory is pretty low.

You are more vulnerable if you run an instance of your database on a VM host that you do not control. If there is another VM that, say, runs a website, there is a chance that someone might be able to read bits and pieces of data associated with your DB server - that's definitely not a scenario you want to entertain.

Thomas LaRock wrote a good article covering the preparations Microsoft has made so far to address both vulnerabilities in the context of SQL Server. Even if you don't work with SQL Server, have a look - well worth reading!