The global and independent platform for the SAP community.

Meltdown, Spectre & Hana

While almost the entire IT and business world discusses the security mega-GAU, SAP and IBM remain surprisingly calm and silent towards the community. Only Hana platform supplier Suse is distributing a few tips for in-memory computing.
E-3 Magazine
January 29, 2018
Meltdown, Spectre & Hana
avatar
This text has been automatically translated from German to English.

This is not the first time that a security advisory has revealed the vulnerability of PCs and servers. In the case of Meltdown and Spectre, however, many serious IT experts are talking about a security GAU because, although containment of the threat is and will be possible, the effects cannot yet be assessed.

The difference to previous security problems: Meltdown and Spectre are not about fixing an "annoying" programming error, but about a fundamental architectural decision of the processor design.

Calculation steps that the processor executes optionally and predictively are not equally secure and comprehensively protected as the "official" program code. So that no time is lost waiting for intermediate results, most modern multi-core processors calculate possible results as a "busywork" in anticipatory obedience.

What is not needed is sorted out. What is necessary is then already ready. Unfortunately, this anticipatory diligence task is carried out in the "no man's land" of the processor, where correct results are produced, but to the exclusion of all safety measures.

Future analyses will show to what extent the repair of Meltdown and Spectre will be urgent and necessary because this Security-GAU can be used by criminal machinations. For a Hana user, on the other hand, a completely different question arises: Will the "repair" affect the performance of the Hana database?

Derived from the public knowledge about Meltdown and Spectre and the solutions to eliminate the vulnerability either on BIOS or operating system level, it can be seen that the processor performance is definitely reduced.

Sap Screen New 1 Cmyk
Knowledge Base Search in the SAP knowledge base for "meltdown": the result from the past seven days (key date: January 22).
There is not much to be found, and what little there is are references to other IT companies - SAP keeps the ball flat and existing customers in the dark.

The renowned IT journal "Magazin für Computer-Technik" (c't) has already been able to perform some tests, which were published in the issue of January 20 this year. The result summarized:

You will hardly notice a significant performance drop on the PC in simple office functions, it can rarely happen in computer games, but clear and noticeable performance drops can be observed in very intensive input/output commands, as they primarily occur in the database environment.

Hana is an in-memory computing database that depends predominantly on the speed of the processor and the size and speed of the caches and main memory.

Theoretically, therefore, repair measures (patches) at processor level including BIOS (Basic Input/Output System) and operating system level (Linux from Suse and Red Hat) can significantly influence the overall performance of the Hana database.

If the Hana database runs in a virtualized system environment (hypervisor), the measures in a VMware system are of course also decisive.

The existing Hana customer should therefore find answers on SAP's service marketplace, which SAP has developed together with partners Intel, IBM, Suse, Red Hat and VMware. Wrong - see screenshot.

SAP's silence in the place where the existing customer first looks for advice and help is worrying: Does SAP not know or does SAP not want to say anything about it? How vulnerable are the Hana systems? Why are Intel and IBM, on whose processors Hana runs, silent?

According to current knowledge, Meltdown and Spectre will have an impact on all in-memory computing databases. This means that Hana (on-premise and cloud) is primarily affected by this security disaster.

The current situation is very unpleasant and worrying for all existing customers in this respect, because SAP is trying to shift the responsibility to the certified Hana server manufacturers and operating system suppliers, see text of SAP Note 2586312.

 


 

SAP Note: 2586312

Linux: How to protect against speculative execution vulnerabilities? (Version 3 from January 19, 2018)

In early January 2018, a design flaw in modern CPUs was disclosed. By exploiting this design flaw, user mode applications can gain access to any physical memory, even if the memory is mapped in kernel mode only and thus should not be accessible. The design flaw manifests in several bugs, referred to as Common Vulnerabilities and Exposures. These bugs cannot be fixed in the CPUs themselves, but require both microcode and OS kernel updates. Affected are recent and older CPUs from Intel (Xeon) and IBM (Power), among others.

SAP strongly recommends to follow the recommendations and apply the updates provided by the hardware vendors, virtualization vendors and OS distributors as appropriate. These updates may impact the system's performance. In virtualized systems, both host OS as well as guest OS should be patched and both can affect performance. The severity of the performance regression depends on the workload and on the CPU type. In virtualized systems, host OS as well as guest OS can be affected.

Contact the vendor of your server. Look for a BIOS update which includes microcode patches for the actual CPU bug(s). Several servers may require a complete disconnect from power after certain BIOS updates which ship new microcode. Refer to the installation guide for the BIOS update.

Contact the operating system distributor.
Install the required patches and reboot your host.

avatar
E-3 Magazine

Information and educational outreach by and for the SAP community.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.