Like other system-level vulnerabilities, these security flaws impact the security of all software running on the system. While ForgeRock products are not directly affected, the data stored and managed by ForgeRock software could be read by unauthorized attackers exploiting these vulnerabilities. Since these vulnerabilities stem from a chip design issue, the patches to fix these issues will come from the operating system and Java® vendors rather than from ForgeRock.
You can read more about these security flaws here: Speculative Store Bypass explained: what it is, how it works and Scary Chip Flaws Raise Spectre of Meltdown.
Some operating system vendors have not yet released patches, so potential performance impacts are not fully known. Additionally, any performance impacts will depend on the specific operating system, the workload being run, etc so will be very environment specific. Microsoft® has done some performance tests, which are detailed here: Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems and indicate performance impacts will depend on the variant. However, Google® suggests that any performance impact will be minimal: Google says CPU patches cause ‘negligible impact on performance’ with new technique.
You can ascertain the performance impact in your own environment as follows providing you have a test environment that mimics production:
- Perform controlled testing to measure performance and throughput.
- Apply the patch provided by the operating system vendor.
- Repeat tests to identify any differences.
You may want to check with your Java vendor to see if they have any additional comments on the impact either now or once the operating system fixes are deployed.