As you most likely have heard, two important security advisories were released this week. These vulnerabilities have been dubbed Spectre and Meltdown. They have both been independently found by several parties, including Google’s project zero and the University of Graz.
The following relevant CVEs have been created:
- CVE-2017-5753
- CVE-2017-5715
- CVE-2017-5754
These attacks are feasible on Intel processors such as the ones Exoscale relies on. The attack variants that are specific to Xen Paravirtualization or single-kernel solutions such as containers do not impact Exoscale. The potential security impact remains critical.
To ensure the vulnerabilities can not be exploited on Exoscale, we are currently testing Linux kernels containing software mitigations. Once we are confident that no regression will occur, we will roll-out the update to all hypervisors which will incur a reboot of your Exoscale instances.
We will keep you informed of our maintenance schedule and will do our best to keep disruptions to a minimum.
Customers relying on dedicated hypervisors will also be part of the scheduled hypervisor reboot roll-out but are free of potential malicious neighbor attacks.
Should you need any additional detail, reach us through support. If you need to divulge any sensitive information, you may follow the procedure described in our Security page.
What should you do?
As a customer, you are still responsible for keeping your system up to date. Depending on your instance type, updates may or may not already be available.
Please refer to your operating system vendor for additional information. For reference, here are links to the appropriate vendor pages for our most used OS templates:
Ubuntu
- https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html
- https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html
- https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html
Windows
- https://support.microsoft.com/en-us/topic/kb4072698-windows-server-and-azure-stack-hci-guidance-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-2f965763-00e2-8f98-b632-0d96f30c8c8e
Redhat and CentOS
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5715
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5753
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5754