Elastic is aware of the Meltdown and Spectre vulnerabilities and we are addressing them for Elastic Cloud. We know that you entrust your data to our cloud service, and we take the confidentiality of all data very seriously. At this time, we are not aware of any exploit on our cloud service that utilized the Meltdown or Spectre vulnerabilities.
The Meltdown or Spectre vulnerabilities apply when untrusted code can execute on a system. At the host infrastructure level, we know that both our infrastructure providers (AWS and GCP) have patched their systems, and are no longer vulnerable.
At the Elastic Cloud service level, Elastic Cloud allows you to upload some artifacts, such as plug-ins, dictionaries, and scripts. These uploads provide a potential vector of attack that could exploit Meltdown. Old Elasticsearch clusters on version 1.x are more vulnerable. Except uploads from you, Elastic Cloud does not allow for untrusted code execution.
Based on our assessment, we believe the impact of Meltdown and Spectre to Elastic Cloud to be small. We have focused our efforts on mitigation and control while we carry out our regular process for operating system patches in an accelerated fashion.
We disabled non-sandboxed scripting for all Elasticsearch 1.x clusters as a primary, customer-visible mitigation. We have also disabled self-service uploads of custom bundles from you until we have fully completed our patching.
Behind the scenes, we’ve further increased our observability of system-level calls and isolated clusters running version 1.x of Elasticsearch on their own hosts.
Patching and Customer Impact
We are using an accelerated version of our regular maintenance procedure to perform OS-level updates while maintaining service availability for user clusters. Your clusters will not experience downtime from this operating system patching.
There is considerable speculation on the internet about the performance impact of the patches to address Meltdown. We have begun Elasticsearch-specific testing to establish the impact for our common benchmarking scenarios and will publish a blog post with this information as soon as we have it.
As always, our support team is available to answer questions you have regarding Meltdown, Spectre, and our handling of them. Please use your standard support channel to ask those questions.