As related in our previous update we are working towards the Meltdown and Spectre mitigations deployment and wanted to provide a brief update.
KVM, the underlying virtualization technology in use on our hypervisors, isn’t vulnerable to Meltdown type of attacks. A guest instance won’t be able to access either the host or any other guest memory space.
Spectre variants 1 & 2
As mentioned in our previous post, in order to be fully effective the Spectre mitigations requires the host and the guest to be updated, along with the host CPU microcode.
Since the beginning Intel has been very vague in its communication. We are still expecting the release of the microcode updates for a substantial part of our hypervisor fleet. Some of the updates have been made available before being pulled out by the vendor due to stability concern.
DE-FRA-1 is the only site where mitigations for all published CVEs have been
However, to be fully protected, you need to apply updates from your OS vendor. Ubuntu, Debian, CentOS come with the appropriate countermeasures. The situation with Windows is less clear as Microsoft disabled them partly due to stability concern.
We are currently carrying out a reboot campaign to roll out the updates within
AT-VIE-1 sites. Only the hosts for which Intel
already provided the new microcodes are being updated. The remaining hosts will
be completed as soon as the updates are made available from the vendor.
While current countermeasures from OS vendors cannot be fully effective, you are still encouraged to apply the updates as they protect your instances from Meltdown.
Unlike most cloud providers, the current rollout is being performed in most cases without any impact to your instances and business.
We anticipate that it is going to take a few additional weeks to receive the remaining missing updates and complete the deployment on all sites after having being tested.