On January 3rd, several vulnerabilities against modern CPU microarchitectures made news headlines. Those vulnerabilities expose a risk of an information leak. A software could potentially exploit the vulnerabilities to get access to the data of another software stored in memory. This is a major security incident.
In total, two attack vectors have been disclosed to the public:
- Spectre: two vulnerabilities available in nearly all processors on the market. Those two vulnerabilities are known as “bounds check bypass” (CVE-2017-5753) and “branch target injection” (CVE-2017-5715)
- Meltdown: one vulnerability affecting mainly Intel CPUs, known as “rogue data cache load” (CVE-2017-5754)
Impact for Algolia
Our infrastructure is a mix of bare-metal and cloud infrastructure. We have three parts in our infrastructure that are impacted by these security vulnerabilities.
Our API servers
Those servers are hosting our users’ data and power the indexing/search API. They are distributed worldwide in more than 50 data centers with a similar hardware configuration using Intel CPUs (mainly Intel E5-1650v4). The servers are configured and tuned for performance. We have no virtualization layer and only run our own software while applying security best practices.
The CPUs we are using are vulnerable, but the impact is mitigated because we do not expose any way to run custom code on our machines. The only way to exploit those vulnerabilities would be to get access to the machine that already gives access to privileged information. Our security efforts remain oriented to making this impossible, and we are working on integrating the KPTI kernel patch and reducing/testing the performance impact it introduces.
Our website and dashboard
We are using AWS to run our website and dashboard, and this is the place where we have our database listing users. We, of course, consider it a critical part of our infrastructure.
We followed closely the AWS actions to protect all instances and they completed their patch deployment to protect them.
However, we decided to move all our website and dashboard virtual machines to dedicated instances to make sure we do not share our hardware with any other AWS customers. This action was not required to be protected but our general security posture is one of extreme caution.
Our analytics stack is computing statistics on your search usage, analyzing query trends.
We are in the process of migrating our analytics stack to Google Compute Platform and we already have several customers running on this stack (our current stack is on bare-metal machines, so the status is similar to our API servers).
Like AWS, Google was working on the fix for a long time and their infrastructure is already protected against those vulnerabilities. Our stack also relies on several systems, including Pub/Sub and DataFlow which are protected against the vulnerabilities.
Security at Algolia
Our security team is constantly monitoring services running on our own machines, as well as those hosted on cloud platforms to ensure that we’re protected against the latest security vulnerabilities. If you have any questions about our process or want to share any information feel free to reach out to the team directly at firstname.lastname@example.org.