General

Speculative Store Bypass, Spectre and Meltdown security flaws and ForgeRock products

Last updated Jul 9, 2018

The purpose of this article is to provide information on whether ForgeRock products (AM/OpenAM, DS/OpenDJ, IDM/OpenIDM and IG/OpenIG) are impacted by the Speculative Store Bypass, Spectre and Meltdown security flaws. These are chip design flaws and affect device CPUs.


4 readers recommend this article

ForgeRock products

Like other system-level vulnerabilities, these security flaws impact the security of all software running on the system. While ForgeRock products are not directly affected, the data stored and managed by ForgeRock software could be read by unauthorized attackers exploiting these vulnerabilities. Since these vulnerabilities stem from a chip design issue, the patches to fix these issues will come from the operating system and Java® vendors rather than from ForgeRock.

You can read more about these security flaws here: Speculative Store Bypass explained: what it is, how it works and Scary Chip Flaws Raise Spectre of Meltdown.

Some operating system vendors have not yet released patches, so potential performance impacts are not fully known. Additionally, any performance impacts will depend on the specific operating system, the workload being run, etc so will be very environment specific. Microsoft® has done some performance tests, which are detailed here: Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems and indicate performance impacts will depend on the variant. However, Google® suggests that any performance impact will be minimal: Google says CPU patches cause ‘negligible impact on performance’ with new technique.

You can ascertain the performance impact in your own environment as follows providing you have a test environment that mimics production:

  1. Perform controlled testing to measure performance and throughput.
  2. Apply the patch provided by the operating system vendor.
  3. Repeat tests to identify any differences.  

You may want to check with your Java vendor to see if they have any additional comments on the impact either now or once the operating system fixes are deployed. 

See Also

Speculative Execution, variant 4: speculative store bypass

US-CERT - TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance

National Cyber Security Centre - 'Meltdown' and 'Spectre' guidance

Speculative Execution Exploit Performance Impacts - Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...