IBM i Gets More PTFs for Meltdown and Spectre
January 31, 2018 Alex Woodie
IBM on Friday issued a second set of program temporary fixes (PTFs) for the IBM i operating system that address the Meltdown and Spectre processor vulnerabilities that were disclosed earlier this month. Meanwhile, IBM i customers are beginning to wonder about the performance impact that the patches will bring to production workloads.
At about 11 a.m. Eastern time on January 26, IBM posted a message to the PSIRT Blog to let customers know that “IBM i has released PTFs in response to the vulnerabilities known as Spectre and Meltdown.” (We’ll assume that the urgent nature of the message led to the grammatical letdown, as IBM released the PTFs, not IBM i.)
The blog post pointed users to this IBM support page where they can get information about the three new PTFs that patch the security flaws, which IBM considers to have “high severity.” IBM encouraged customers to install the PTFs immediately to minimize the potential impacts of the security vulnerabilities.
It was the second set of PTFs that IBM issued for Meltdown and Spectre for the three supported IBM i OSes: IBM i 7.1, 7.2, and 7.3. (The clock is ticking for IBM i 7.1, which loses IBM mainstream support in April.)
IBM announced the first set of IBM i PTFs on January 10, which is the same time that it issued a separate set of fixes for the Power Systems firmware (FW). Users can find information about which firmware update they should apply for specific Power Systems hardware at this IBM support Web page. The OS and FW patches can both be found on Fix Central.
The new PTFs that IBM issued on January 26, 2018, are as follows:
Release 7.1 – MF64571
Release 7.2 – MF64565
Release 7.3 – MF64568
The PTFs that IBM released on January 10, 2018 include:
Release 7.1 – MF64553
Release 7.2 – MF64552
Release 7.3 – MF64551
In its most recent PSIRT blog post, IBM said that “both the IBM i and FW fixes are required to mitigate the vulnerabilities.” The new set of IBM i PTFs “can be loaded and applied independently of the Power FW fixes,” the company stated. However, it also said that “the firmware patch provides partial remediation to these vulnerabilities and is a pre-requisite for the OS patch to be effective.”
The release of a second set of patches shows that the Spectre and Meltdown situation is dynamic and continues to change on a weekly basis. In the first week of January, when the problems were first revealed to the world, IBM indicated that the IBM i PTFs would become available February 12.
However, the company apparently made the PTFs a bigger priority and released them before then. In its January 25 PSIRT blog post, IBM said: “IBM i operating system patches are now available via FixCentral and will continue to be rolled out through February 12.”
The PTFs address three vulnerabilities that security researchers disclosed to the public just after the start of the new year. The first two security vulnerabilities are CVE-2017-5753 and CVE-2017- 5715, and are collectively known as Spectre, while the third vulnerability, CVE-2017-5754, is known as Meltdown.
Spectre “allows user-level code to infer data from unauthorized memory,” IBM says, while Meltdown “allows user-level code to infer the contents of kernel memory.” The vulnerabilities impact nearly all modern-day processors from IBM, Intel, and others, and are due to an error in how the companies implemented speculative execution in the chip architecture.
“These vulnerabilities do not allow an external unauthorized party to gain access to a machine,” IBM states in its PSIRT blog, “but they could allow a party that has access to the system to access unauthorized data.”
The Meltdown and Spectre flaws dealt a severe blow to speculative execution, which was developed to speed-up processors, and it will take new designs and new generations of chips to completely address the flaws. In the meantime, the patches issued by IBM, Intel, and other chip and computer makers will mitigate the security risks, but come at the expense of a performance impact.
The performance impacts of Meltdown and Spectre are not distributed evenly. Some I/O-intensive workloads could see upwards of a 30 percent reduction in throughput, according to chipmakers, while others will see a smaller impact.
It’s unclear exactly how much of a hit the IBM i PTFs and Power Systems firmware patches will impact IBM i customers. It will take some time before a bulk of IBM i customers install the patches, as they require the server to be taken offline and IPL’ed. (And who knows if IBM will issue a third set of PTFs in the coming weeks.) Even after the patches are installed, it will take time before users can conduct meaningful before-and-after performance comparisons.
Some IBM i customers are reporting that IBM is warning them about the potential for performance hits. One IBM i customer says that IBM included the following warning with the firmware patch:
“These patches may have a performance degradation due to the nature of the fixes. The degradation will vary depending on the workload and environment of each system. For example, a system in a text-based environment, running minimal software, performing purely memory based calculations might not show a large performance hit. On the other hand, a system with a GUI, primarily used as an information repository with a lot of disk and network activity, may see a larger drop in performance. We suggest applying the patches in a test environment to get a better idea of what level of performance you can expect when the patches are applied to your production environment.”
This appears to be a snippet from a broader conversation on the performance impact of the Spectre and Meltdown patches that occurred at IBM X-Force Exchange.
We’ do our best at IT Jungle to stay on top of patches, as well as the resulting performance impact that they bring. Doug Bidwell, the editor of PTF Guide and the owner of DLB Systems Associates in Southern California, is an IBM i expert who keeps a particularly keen watch on all PTFs, emergency and otherwise. As this saga unfolds, Bidwell will be your source for the latest information.