CVE Live Patching for Database



  • Quick question regarding the Database patching, especially on the CVE. Did you see if this technology of live patching is very important to have to our open-source database?

    Mean I don't even need to do any failover, since most of our database, today also is in HA/Galera Cluster/DBaaS. What do you guys think about this?

    EG: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2154 https://access.redhat.com/security/cve/cve-2021-32029



  • With databases already having their HA strategies, the addition of a userspace live patching like https://github.com/SUSE/libpulp would require more server side development and some very careful replacement of functions (and how do function pointers work?), a clear understanding of the mutexes around the code changed and extensive testing.

    While not impossible, I don't think database developers have this much time free for this kind of innovation at the moment. Maybe with improved tooling it could be experimented with later.

    Existing removal of a node, update, and rejoin provides significantly easier path for database developers as the complexities of the live aspect are replaced with more stable and tested code paths.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2