Following the public announcement of the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) security vulnerabilities earlier this month, the Neo4j team wants to keep you informed on how these vulnerabilities affect users and customers of the Neo4j Graph Platform.
Here are the most frequent questions and answers we have received on these security vulnerabilities:
Meltdown & Spectre: Frequently Asked Questions
Q: What are Meltdown and Spectre?
A: Meltdown and Spectre are exploits of vulnerabilities affecting almost all modern processors. These exploits could allow a malicious program to read data from another program running on the same server. The links in this article provide further details about how they work and their potential impacts. Abuse of these exploits would be very hard to detect, but so far there are no known cases.
Q: How might Meltdown and Spectre affect Neo4j?
A: In theory, a malicious program running on the same server as Neo4j could read graph data from Neo4j’s memory. In practice, Neo4j is usually deployed on secure servers which are free of malicious programs, so the risk is small. However, it is still important to eliminate this risk through fixes or workarounds.
Q: Does Neo4j need to be patched to work around these vulnerabilities?
A: No, it’s only possible to work around these vulnerabilities with changes in the levels below Neo4j: in the operating system or in firmware. Patches are already available for all of our supported operating systems, and we expect further OS patches and firmware patches to become available over the next weeks and months.
Q: Will Neo4j performance be affected by the OS-level workarounds?
A: We are conducting tests to discover the impact on Neo4j. We are comparing performance before and after applying OS-level workarounds, for the latest patch release of each supported version of Neo4j. This testing may lead us to make changes to Neo4j to mitigate any performance degradation.
At present, it’s too early to tell what the performance impact might be or whether changes to Neo4j itself will be helpful.
Q: What actions should I take as a Neo4j user in response to these vulnerabilities?
A: The Neo4j team recommends applying the relevant patches provided as they become available from your operating system vendor. Since many of the patches are very new, there have been teething problems, so we recommend testing the OS upgrade before rolling it out to your production systems. Please contact Neo4j Support for further advice.
Further Updates Are Forthcoming
As of this writing, the Neo4j team is conducting further research into how the Meltdown and Spectre vulnerabilities affect the security and performance of the Neo4j graph database.
Please check back frequently as this blog post (and other locations across our website) will be updated as more information becomes available.
Resources on Meltdown & Spectre
About the Author
Alistair Jones, Director of Engineering, Neo4j
Alistair Jones is an engineer at Neo4j, specializing in clustering and consensus algorithms. He also has a side interest in graph visualization.