Google adds, "We believe solutions exist that introduce minimal performance impact, and expect such techniques will be adopted by software vendors over time. We designed and tested our mitigations for this issue to have minimal performance impact, and the rollout has been uneventful."
And the company said in a Thursday blog post: "On most of our workloads, including our cloud infrastructure, we see negligible impact on performance."
Tobi Knaup, Mesosphere co-founder and chief technology officer, agrees that the reports of drastic performance hits are overblown. "There has been speculation online that the current mitigation approach will have significant impact on performance. While this has been confirmed in synthetic benchmarks, most workloads are only minimally impacted under real conditions," he says in an email statement to Enterprise Cloud News. "We're still working through benchmarks of our own products and won't have any confirmed findings on this topic until the end of the [this] week. Given what we know now, we tend to agree with others that have stated the patches won't impact performance significantly under real conditions."
Real performance cost will likely be under 2%, says Check Point Software Technologies Ltd. (Nasdaq: CHKP) Chief Marketing Officer Peter Alexander, adding that all Check Point security gateways are unaffected by the vulnerability.
What about containers and hypervisors?
The bad news: Containers don't confer any special immunity with regard to Spectre and Meltdown. The good news: Containers don't present any special risk either.
"Containers and Kubernetes behave like any other process on a Linux or Windows system," CoreOS Inc. Chief Technology Officer Brandon Philips says in an email to Enterprise Cloud News "All applications that have Spectre vulnerabilities when run outside of a container will have Spectre vulnerabilities when run inside a container as well. Fixes to Spectre will require changes to application architecture or recompilation from source code."
He adds, "Applications with Spectre issues will have those issues whether they are in a container or not. And containers may actually help make upgrading easier."
Knaup agrees: "Meltdown and Spectre affect almost every computing device and operating system currently in use, including virtualized and containerized applications. We're advising our customers to upgrade their operating systems to the patched versions provided by the vendors to mitigate these attacks. DC/OS [Mesosphere's data center software platform] customers are fortunate that they are able to perform rolling upgrades to patch the vulnerabilities without any application downtime."
Similarly, the Xen hypervisor for virtualization is vulnerable to information leaks but not escalated privilege, according to a Xen Project blog post. The Xen Project has a prototype patch, and is working on finalizing solutions, the group says.
Microsoft incorporates mitigation for its Hyper-V hypervisor in Windows patches released last week. And it has updated the Azure cloud to protect against the vulnerability. VMware has patches available for its virtualization products as well.
— Mitch Wagner Editor, Enterprise Cloud News