Do I need to Patch SQL Server for Meltdown and Spectre?

The news has been full of information around critical patching for Meltdown and Spectre over the last couple of weeks.

Most of the information out there is related to the OS and processors. It is important to note however that SQL Server is also affected.

The short answer is yes it is likely that you do need to patch SQL Server.

Image: Source

Why does Meltdown and Spectre affect SQL Server?

It has not yet been made abundantly clear why exactly SQL Server needs to be patched.

The fact that patches are being released for SQL Server strongly suggests that it is.

Microsoft advises that it is important to patch SQL Server if you are running any of the affected versions on x86 and x64 processor systems:

  • SQL Server 2008
  • SQL Server 2008 R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017

So far there are patches available for the following versions of SQL Server:

  • SQL Server 2017
  • SQL Server 2016
  • SQL Server 2014
  • SQL Server 2014
  • SQL Server 2008 & R2

There are three main threats related to these exploits that Microsoft has advised:

  • CVE-2017-5715 – Branch target injection (“Spectre”)
  • CVE-2017-5753 – Bounds check bypass (“Spectre”)
  • CVE-2017-5754 – Rogue data cache load (“Meltdown”)

The SQL patches protect against CVE-2017-5753.

To protect against CVE-2017-5754 it is recommended you enable Kernel Virtual Address Shadowing (KVAS) on Windows. Or KPTI on Linux.

To protect against CVE-2017-5715 you can enable Branch Target Injection mitigation hardware support (IBC) via registry change and you will also probably need a firmware update from your hardware manufacturer.

Will Performance be Affected?

The chances are that yes it will. Exactly how much is anyones guess and will depend on the applications and environment.

It will be important to benchmark current performance prior to deploying the patches to be able to accurately gauge the impact.

The biggest effect on performance seems to be related to turning on KVAS/KPTI.

Deploy into Test/Dev First

As with any software update, it is important to realize that things may break when you apply these patches.

There are already reports that for some folks SCCM breaks after applying the SQL Server patch so make sure you follow the guidelines released in this article.

Do a thorough end to end test and ensure all your applications work as expected prior to deploying to production.

Other Ways to Mitigate Risk

Microsoft also talks about other ways to mitigate the SQL Server risk in the KB Article 4073225.

The primary areas of risk are:

  • Having CLR enabled
  • Running Python/R Code
  • Linked Servers
  • XP_CMDSHELL
  • COM Objects

References:
How to check if your database server is protected against meltdown/spectre
Speculative Attacks Technical Paper
SQL Server Patches for Meltdown and Spectre Attacks
Stack Exchange

Rob StGeorge
Senior SQL Server Database Administrator residing in Auckland, NZ

Leave a Reply