IBM MQ Advice Regarding Operating System Security Patches for Spectre and Meltdown
This document is to impress on those responsible for production IBM MQ systems that there is a definite need to verify that operating systems patched for Spectre and Meltdown still satisfy the peak resource needs of their messaging systems.
It is very difficult for IBM to predict the real-world impact of the application of these operating system patches, and so IBM strongly advises that our customers make performance assessments of the impact of these patches across their entire messaging infrastructure, including interactions with systems which do not require these operating system security patches, to ensure that sufficient messaging capacity remains after patches are applied.
Operating system patches are being issued by vendors in response to the Spectre and Meltdown1 protected memory access issues. These patches are expected to be available on a number of platforms on which IBM MQ is supported.
Affected operating system vendors have stated that there are performance overheads as a result of the changes that have been made to address the Spectre and Meltdown vulnerabilities.
CPU resource overhead increases when such operating system patches are applied, which may result in messaging workloads being unable to receive sufficient CPU to be able to maintain the same message throughput that was achieved without these patches.
Information available from affected operating system vendors indicates that it is expected that this impact is most pronounced on interrupt-driven workloads. Examples of such workloads involving IBM MQ include systems with large volumes of client connections, or high transaction rates.
IBM strongly advises that our customers make performance assessments of patched operating systems which run any messaging workload, including MQ queue managers, clients, and Managed File Transfer agents, to ensure that the systems are still capable of achieving their peak processing objectives prior to applying any operating system patches to messaging systems. End-to-end assessments should also be completed where messaging throughput depends on other components such as application processing or databases, or systems which do not require patching.
1. Spectre and Meltdown refer to CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754; disclosed by researchers in January 2018. For more information, see https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
|Business Integration||IBM MQ|
|Business Integration||IBM MQ Appliance|
|Business Integration||IBM MQ Advanced|