IBM Support

IBM MQ Advice Regarding Operating System Security Patches for Spectre and Meltdown

Flash (Alert)


Abstract

This document is to impress on those responsible for production IBM MQ systems that there is a definite need to verify that operating systems patched for Spectre and Meltdown still satisfy the peak resource needs of their messaging systems.  

It is very difficult for IBM to predict the real-world impact of the application of these operating system patches, and so IBM strongly advises that our customers make performance assessments of the impact of these patches across their entire messaging infrastructure, including interactions with systems which do not require these operating system security patches, to ensure that sufficient messaging capacity remains after patches are applied. 

Content

Operating system patches are being issued by vendors in response to the Spectre and Meltdown1 protected memory access issues. These patches are expected to be available on a number of platforms on which IBM MQ is supported.
Affected operating system vendors have stated that there are performance overheads as a result of the changes that have been made to address the Spectre and Meltdown vulnerabilities. 

CPU resource overhead increases when such operating system patches are applied, which may result in messaging workloads being unable to receive sufficient CPU to be able to maintain the same message throughput that was achieved without these patches. 

Information available from affected operating system vendors indicates that it is expected that this impact is most pronounced on interrupt-driven workloads.  Examples of such workloads involving IBM MQ include systems with large volumes of client connections, or high transaction rates. 

IBM strongly advises that our customers make performance assessments of patched operating systems which run any messaging workload, including MQ queue managers, clients, and Managed File Transfer agents, to ensure that the systems are still capable of achieving their peak processing objectives prior to applying any operating system patches to messaging systems. End-to-end assessments should also be completed where messaging throughput depends on other components such as application processing or databases, or systems which do not require patching. 


1. Spectre and Meltdown refer to CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754; disclosed by researchers in January 2018.  For more information, see https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html 


Cross reference information
Segment Product Component Platform Version Edition
Business Integration IBM MQ
Business Integration IBM MQ Appliance
Business Integration IBM MQ Advanced

Document information

More support for: WebSphere MQ

Software version: 7.0.1, 7.1, 7.5, 8.0, 9.0

Operating system(s): Platform Independent

Reference #: 2012585

Modified date: 12 January 2018


Translate this page: