As related in our previous post, we are working towards the L1 Terminal Fault (L1TF) mitigations deployment and wanted to provide a brief update.
Current situation
The mitigations for all published CVEs have now been applied to all the sites
DE-FRA-1, CH-GVA-2, CH-DK-2 and AT-VIE-1. Unlike most cloud providers,
the rollout has been performed in most cases without any impact to your
instances and business.
One of the attack involve the use of the so called SMT CPU feature, known as HyperThreading. We’re currently relying on this feature. The current and only workaround requires to disable it as there’s no software mitigation available. We’re currently still evaluating the opportunity to do so since it may cause a very important impact on your instances.
A few additional other important vulnerabilities have also been mitigated:
- Spectre Variant 4, CVE-2018-3639
- Linux Kernel TCP Reassembly Algorithm Remote Denial of Service Vulnerability, CVE-2018-5390
To be fully protected, you need to apply updates from your OS vendor. Linux distributions and Windows come with the appropriate countermeasures.
For existing instances, a stop and start from our portal or API is also highly recommended in order to enable the new CPU features.
Linux users may test their current protection level using this checker.