Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-79-2357480.1
Update Date:2018-05-09
Keywords:
Solution Type  Predictive Self-Healing Sure

Solution  2357480.1 :   Performance impact of mitigation measures against CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 on Oracle Database, Oracle Exadata, and Oracle Zero Data Loss Recovery Appliance  

Related Items 
    

  • Oracle Exadata Storage Server Software
    •  
  • Oracle Platinum Services
    •  
  • Exadata X3-2 Hardware
    •  
  • Exadata X4-2 Quarter Rack
    •  
  • Zero Data Loss Recovery Appliance Software
    •  
  • Oracle Database - Enterprise Edition
    •  
  • Exadata X4-2 Hardware
    •  
Related Categories 
    

  • PLA-Support>Eng Systems>Exadata/ODA/SSC>Oracle Exadata>DB: Exadata_EST
    •  






In this Document


Purpose


Details


 Oracle Database


 Oracle Exadata


 Oracle Zero Data Loss Recovery Appliance


 Security Recommendations


References


Applies to:  

Exadata X4-2 Quarter Rack
Oracle Exadata Storage Server Software
Zero Data Loss Recovery Appliance Software
Oracle Database - Enterprise Edition
Exadata X4-2 Hardware
Information in this document applies to any platform.



Purpose




The following has been approved for use in MOS or shared with "Oracle Confidential" notice with customers. It is NOT to be published on public sites (oracle.com, OTN, tweet, blog, etc.).




The January 2018 Critical Patch Update provides patches for certain Oracle products against the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) processor vulnerabilities.  Please refer to the Critical Patch Update Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note (MOS <Note 2347948.1>).


This document provides information about the performance impact that were measured by Oracle resulting from the current mitigation measures against the Spectre variant 1(CVE-2017-5753), Spectre variant 2(CVE-2017-5715) and Meltdown (CVE-2017-5754) processor vulnerabilities on Oracle Database and Oracle Exadata.  


Details




Oracle Database




The mitigation measures to address the CVE-2017-5754, CVE-2017-5715 and CVE-2017-5753 vulnerabilities disable certain performance optimizations and can impact performance for some database workloads.  These mitigation measures often increase the processor time consumed by system calls made by user programs such as the Oracle Database.  Virtualized systems are likely to see a bigger impact than non-virtualized systems.  


The exact performance impact on a database can significantly vary depending on the type of workload, processor, operating system and database version. For example, the performance impact on Linux platforms might be different than that on a Windows platforms.  Similarly, performance impact on transaction processing systems might be different than on decision support systems. Hence it is not possible to accurately predict the performance impact of the mitigation measures for a particular workload without testing that workload on its target system and individual results may vary.


Oracle ran performance testing with some standard workloads using a non-virtualized Intel-based server with local (flash) disks (BM.DenseIO1.36 on Oracle Cloud Infrastructure), described as follows:


    

  • Database Servers: BM.DenseIO1.36 instance on Oracle Cloud Infrastructure with 2x Intel Xeon 2.3 GHz E5-2699 v3 processors, 512 GB DRAM and 28.8 TB of local NVMe SSD
    • 

  • Database Version: Oracle Database 12.2.0.1, Release Update 12.2.0.1.180417
    • 

  • OS Version: Oracle Linux 6
    • 

  • Kernel Version: 4.1.12-112.16.5.el6uek.x86_64
    • 



These tests found that the performance impact of the security mitigation measures on a system running an Oracle Database stored on conventional block storage can often be categorized by the type of database workload being run as follows: 


    

  • 3 - 5% CPU Usage Increase for CPU intensive workloads with short running SQL such as online transaction processing.
    • 

  • 0 - 5% CPU Usage Increase for Analytic and reporting workloads with longer running SQL, analytic workloads that don't leverage columnar in-memory technologies.
    • 



The numbers above are for general guidance and may not reflect the exact impact to a specific workload.  In addition, performance impact shown is relative to the current CPU utilization of the system.  For example, if the current CPU utilization is 30%, a 10% impact will increase the CPU utilization to 33%, not to 40%.  Systems that are running close to 100% CPU utilization are most susceptible to the performance impact.  The numbers above represent combined OS and User CPU time.


 




Oracle Exadata




Exadata System Software 18.1.5 and 12.2.1.1.7 provide the operating system (Oracle Linux) and micro-code updates to mitigate CVE-2017-5715, in addition to CVE-2017-5754 and CVE-2017-5753 vulnerabilities that were addressed in Exadata System Software 18.1.4 and 12.2.1.1.6.  This includes Exadata Database Machine, Exadata Cloud Service, Exadata Cloud at Customer, and SuperCluster Storage Servers.  These releases update both Exadata Database Servers and Exadata Storage Servers even though Oracle does NOT support installing non-Oracle supplied programs on Exadata Storage Servers.


Oracle ran performance testing with an Exadata X7-2 High Capacity described as follows:


    

  • Database Version: Oracle Database and Grid Infrastructure 12.2.0.1, Release Update 12.2.0.1.180417
    • 

  • OS Version: Oracle Linux 6
    • 

  • Kernel Version: 4.1.12-94.8.4.el6uek.x86_64
    • 



Like the Oracle Database, the performance impact of these security patches on Exadata will vary with the type of workloads and processors.  Each workload exercises various subsystems in a different manner.  In addition, performance characteristics of Intel processors vary from generation to generation.  Thus, it is not possible to accurately predict the performance impact of the software updates for a particular workload running on a particular generation of Exadata system without testing each specific workload on its target system and individual results may vary.


Oracle database performance testing with some standard workloads found that the performance impact of the security mitigation measures can often be categorized by the type of workload being run as follows: 


    

  • 0 to 13% CPU usage increase for CPU intensive workloads with short running SQL such as online transaction processing.
    • 

  • 0 to 8% CPU usage increase for decision support and reporting workloads with longer running SQL, analytic workloads that don't leverage columnar in-memory technologies.
    • 

  • 0 to 3% CPU usage increase for columnar In-memory analytics.
    • 



Performance impact on prior generation Exadata Systems (X6 or older) will usually be less than that measured on Exadata X7 systems.


 




Oracle Zero Data Loss Recovery Appliance




Exadata System Software 18.1.5 is also applicable to Oracle Zero Data Loss Recovery Appliance. This release contains the operating system (Oracle Linux) and micro-code updates to mitigate CVE-2017-5715, in addition to CVE-2017-5754 and CVE-2017-5753 vulnerabilities that were addressed in Exadata System Software 18.1.4.


Oracle ran performance testing with a Zero Data Loss Recovery Appliance X7 described as follows:


    

  • ZDLRA Version: 12.2.1.1.1-201803 PSU
    • 

  • OS Version: Oracle Linux 6
    • 

  • Kernel Version: 4.1.12-94.8.4.el6uek.x86_64
    • 



ZDLRA workloads are usually disk IO bound and therefore these security mitigation measures have little or no effect on backup and restore performance. Oracle performance testing with some standard backup and restore workloads found that the impact of mitigation measures for  CVE-2017-5754 and CVE-2017-5753 on backup and restore performance was between 0 to 2%.  The performance impact of mitigation measures for CVE-2017-5715 is under evaluation.


However, as noted above, it is not possible to accurately predict the performance impact of the mitigation measures for a particular workload without testing that workload on its target system and individual results may vary.


 




Security Recommendations




Oracle recommends that you prevent as much as possible the execution of discretionary code from an untrusted source, which is a condition for the exploitation of vulnerabilities CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2) and CVE-2017-5754 (Meltdown). Oracle recommends that you review the privileges associated with your systems, and periodically review your security logs in light of these vulnerabilities (e.g., to identify newly-created accounts or newly-installed applications). Oracle will continue to investigate these vulnerabilities, and will produce additional patches to respond to these processor issues, if applicable, and in accordance with Oracle’s security update policies.


Oracle recommends that customers keep up with security patches for relevant operating systems, virtualization technologies, and related hardware when updated security patches are released by their respective vendors or maintainers.


Relevant patches for any systems include patches for:


    

  • Operating system (OS) and if required underlying hardware firmware
    • 

  • VM virtualization infrastructure
    • 

  • Desktop browsers
    • 



Customers need to follow the patching instructions as directed by the vendor/maintainer of these components.  However, customers of Oracle’s engineered systems should solely rely on the specific patches produced for these engineered systems. 


 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback