Storage slingers say: Don't sweat Spectre, Meltdown SANitation

Debate rages on software, HCI slowdown though

Analysis Several SAN suppliers have said their systems don't need patching against the Spectre and Meltdown bugs. We asked Dell and Pure Storage about the impact of fixes and whether their SANs and Dell's hyperconverged (HCI) systems needed patching.

El Reg: Do you agree that on-premises external SANs and filers that only run their supplier's code will be safe and won't need patching, and therefore will perform as before? Could you explain the reasoning behind your position?

Dell: We generally agree. Access to the platform OS to load external code is restricted (in some cases code cannot be altered whatsoever) and therefore the reported vulnerabilities do not introduce any additional security risk to a customer's environment – provided they follow recommended best practices to protect access of highly privileged accounts.

Should SANs be patched to fix the Spectre and Meltdown bugs? Er ... yes and no


Pure Storage: Current known exploits of Meltdown and Spectre require running crafted code on the CPU being attacked. Pure's systems run a fixed Purity Operating Environment, so we expect them to perform as before without patching.

El Reg: Is the situation different for storage software delivered and designed to run on commodity separately sourced hardware (meaning servers)? Will those servers have to be patched?

Dell: Yes, in most cases, most storage software on its own will be immune to these vulnerabilities but the host servers/appliances they operate on will still require patching. Virtual appliance installs of some software will require associated VMs and their hypervisors to be patched.

Pure Storage: Pure Storage does not offer a software-only solution, so this does not apply to Pure Storage solutions. FlashArray and FlashBlade platforms are appliance-based solutions with hardware and software tightly coupled and controlled by Pure.

El Reg: Is the situation different for hyperconverged systems?

Dell: HCI appliances may have more restrictive access rights than commodity servers; however, server components of a CI/HCI system require patching along with hypervisor and any guest OS components.

Pure Storage: This is not applicable to Pure.

El Reg: What are your intentions regarding patching your own shared, external storage system products?

Dell: Most of our external storage systems have zero or very limited risk exposure to the reported vulnerabilities.

Pure Storage: We don't intend to patch our storage system products.  We'll continue to monitor this issue as we learn more.

El Reg: If you are patching these systems then what will the performance impact be?

Dell: We will conduct performance testing for any systems where patching is required, though we do not expect any performance impact on these storage systems.

El Reg: Will you be patching your HCI products?

Dell: Yes, we are remediating vulnerable components of these systems... We're currently testing to assess any potential performance impacts as a result of patching.

Storage software running in a patched hypervisor

On the other hand, non-appliance storage software will likely need patching, claimed Infinidat.

Infinidat CTO Brian Carmody claimed: "If you're 'software-defined storage' (SDS) running in a patched hypervisor, you're going to take a performance hit. If you're a storage appliance that allows third-party code to run, you're going to take a performance hit.

"The only architectures with the luxury of not implementing the kernel patch are those who already prevent third-party code from hitting the physical CPUs, e.g. appliances."

That means SANs and filers from Dell, HPE, Hitachi Vantara, Huawei, Kaminario, NetApp, Pure Storage, Tintri, etc.

If an array allows customer code to run in it, then the presumption is that it will need patching.

Carmody said he doubted any SDS that runs in a hypervisor would be unaffected. "If you run in a hypervisor, and patch the hypervisor, and make system calls, you're going to be slowed down like every other virtualised application," he claimed, referencing a Microsoft blog about this.

The blog states: "For Windows Server, administrators should ensure they have mitigations in place at the physical server level to ensure they can isolate virtualized workloads running on the server... Windows Server customers, running either on-premises or in the cloud, also need to evaluate whether to apply additional security mitigations within each of their Windows Server VM guest or physical instances. These mitigations are needed when you are running untrusted code within your Windows Server instances."

The performance impact on Windows servers comes from the Spectre Variant 2 Windows Change to eliminate branch speculation in risky situations along with a microcode update.

This implies software-only storage products from the object storage suppliers would be affected. We're checking with them too.


Meanwhile, Google has said it has found a way to fix the Variant 2 Spectre bug with no adverse impact on performance.

It said:

With Retpoline, we didn't need to disable speculative execution or other hardware features. Instead, this solution modifies programs to ensure that execution cannot be influenced by an attacker. With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications.

Furthermore, testing this feature, particularly when combined with optimisations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss... Retpoline fully protects against Variant 2 without impacting customer performance on all of our platforms.

Google has provided all the details here. ®

Other stories you might like

  • (Our) hardware is still key in a multicloud world, Dell ISG chief insists
    IT giant may be shifting its focus to software and services, but systems remain the foundation

    Analysis At this month's Dell Technologies World show in Las Vegas, all the usual executives were prowling the keynote stages, from CEO Michael Dell to co-COOs Chuck Witten and Jeff Clark, all talking about the future of the company.

    Noticeably absent were the big servers or storage systems that for decades had joined them on stage, complete with all the speeds and feeds. Though a PC made an appearance, there was no reveal of big datacenter boxes.

    It's a continuing scenario that is likely to play out to various degrees at user events for other established IT hardware vendors, such as when Hewlett Packard Enterprise later next month convenes its Discover show, also in Las Vegas. It's having to adapt to the steady upward trend in multicloud adoption, the ongoing decentralization of IT and the understanding that in today's world, data is king, Hardware is still needed, but the outcomes they deliver are what is most important.

    Continue reading
  • Zero trust is more than just vendors and products – it requires process
    IT orgs need to adapt their procedures to make it all work, says Dell

    Dell Technologies World Zero-trust architectures have become a focus for enterprises trying to figure out how to secure an IT environment where data and applications are increasingly distributed outside of the traditional perimeter defenses of central datacenters.

    With the attack surface expanding and cyberthreats growing in number and complexity, many organizations are sorting through a cybersecurity space that has myriad vendors and products to choose from, according to Chad Dunn, vice president for product management for Dell's Apex as-a-service business.

    Zero trust – which essentially dictates that any person or device trying to access the network should not be trusted and needs to go through a strict authentication and verification process – will be foundational for companies moving forward, but it has to be more than simply buying and deploying products, Dunn told The Register in an interview here in Las Vegas at the Dell Technologies World show.

    Continue reading
  • Dell brings data recovery tools to Apex and the cloud
    Dell shows off full stack of cyber recovery SaaS, partners with Snowflake for data analytics

    LAS VEGAS – Dell is giving enterprises new ways to protect the data they store in public clouds.

    At the Dell Technologies World event Monday, the company unveiled a full-stack cyber-recovery managed services offering in its Apex -as-a-service portfolio and data protection technologies that will be available in both the Amazon Web Services (AWS) and Microsoft Azure public clouds.

    In addition, Dell is partnering with high-profile cloud-based data analytics vendor Snowflake to enable organizations to take the data they're keeping in their data centers in Dell object storage and run it in Snowflake's Data Cloud while keeping the data on premises or copying it to the public cloud, an important capability for companies with data sovereignty or privacy concerns who can't freely move it around.

    Continue reading
  • Dell trials 4-day workweek, massive UK pilot of shortened week begins
    Hopes to tap into pool of tech workers who aren't keen to be tied down for 40 hours per week

    Dell employees in the Netherlands will be able to work four days a week from this month, a director of Dell Technologies Netherlands has confirmed to The Register.

    The news comes just before the biggest ever 4-day working week trial begins in the UK.

    Isabel Moll, newly appointed vice president and general manager at Dell Netherlands, told us the part-time pilot has already been rolled out by the Dutch and Argentinian operations.

    Continue reading

Biting the hand that feeds IT © 1998–2022